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A Comprehensive Analysis 
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The MITRE Corporation 

McLean, Virginia 22102 

Abstract 

We perform a comprehensive analysis of practical quantum cryptography (QC) 
systems implemented in actual physical environments via either free-space or fiber- 
optic cable quantum channels for ground- ground, ground-satellite, air-satellite and 
satellite-satellite links. 

(1) We obtain universal expressions for the effective secrecy capacity and rate for 
QC systems taking direct and ancillary processes into account. The analysis in Part 
One treats three important individual quantum bit attacks, comprising generic ad- 
mixtures of indirect attacks, direct attacks and previously unconsidered simultaneous 
combinations of the two types. In all these cases we obtain for the first time necessary 
and sufficient exact closed form expressions for privacy amplification. Our analysis 
also includes for the first time the explicit calculation in detail of the total cost in bits 
of continuous authentication, thereby obtaining new results for actual ciphers of finite 
length, as well as previously obtained limits for idealized ciphers of infinite length. 

(2) We perform for the first time a detailed, explicit analysis of all systems losses 
due to and errors and noises, including turbulent and static atmospheric propagation 
losses, optics package losses, intrinsic channel losses, etc., as appropriate to both optical 
fiber cable- and satellite communications-based implementations of QC. 

(3) We calculate for the first time all system load costs associated to classical com- 
munication and computational constraints that are ancillary to, but essential for carry- 
ing out, the pure QC protocol itself, including the full classical communications band- 
width requirements and the full computer machine instruction requirements needed to 
support actual QC implementations. 

(4) We introduce an extended family of generalizations of the Bennett-Brassard 
(BB84) QC protocol that equally provide unconditional secrecy but allow for the pos- 
sibility of optimizing throughput rates against specific cryptanalytic attacks. 

(5) We obtain universal predictions for maximal rates that can be achieved with 
practical system designs under realistic environmental conditions, taking into account 
our results for total system losses and loads. 
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(6) We propose a specific QC system design that includes the use of a novel method 
of high-speed photon detection that may be able to achieve very high throughput rates 
for actual implementations in realistic environments. 

(7) We deduce the dependence of the effective throughput on processing block size 
for actual ciphers of finite length and derive thereby an upper bound on practical 
processing block sizes dictated by current available computing machinery. We use this 
to show how a system employing an array of parallel transmitter and receiver devices 
can be multiplexed to substantially increase the throughput of shared secret cipher. 



PACS: 03.67.Dd, 42.50.Dv, 42.79.Sz, 42.68.Ay, 42.68.Bz, 42.81.Dp, 89.80.+h 



PRACTICAL QUANTUM CRYPTOGRAPHY: A COMPREHENSIVE ANALYSIS 

PART ONE - Quantum Cryptography without Entangled States (this volume) 
PART TWO - Quantum Cryptography with Entangled States (to appear) 
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1 Prologue 

What is the reason for the excitement about quantum cryptography? Quantum cryptography 
is special because it provides a means for encrypting information that no amount of analysis 
can break. This is referred to as "unconditional secrecy." The Great Thing is that this 
property of quantum cryptography is not a consequence of some "hard" mathematics problem 
that might be solved one day, nor of some devilishly clever algorithm or fiendishly intricate 
hardware design that might be reverse-engineered one day, but instead is due to what are 
believed to be inviolable principles of physical law: the physics of Quantum Mechanics. If 
our understanding of quantum mechanics is correct, and after three-quarters of a century 
of research we know of no reason to believe it to be incorrect, quantum cryptography is 
and always will be unconditionally secret, irrespective of whatever advances are made in 
mathematics or computer science, and probably in any other sphere of human activity. If 
the question is "What is the strongest cryptographic protection possible, as constrained 
directly by physical law?" the answer is "Quantum Cryptography." 

Quantum cryptography specifically provides a method of distributing the secret keys required 
to provide unconditionally secret communications - these are the famous "one-time pads" - 
and its use is guaranteed to reveal the presence of an enemy attempting to compromise the 
transfer. All quantum communications, such as quantum cryptography, requires the use of a 
quantum channel, which is a means of transporting physical objects called quantum bits (or 
"qubits" ) in such a way that the quantum mechanical states of the qubits remain preserved 
from one end of the channel to the other. Two forms of quantum channel for quantum 
cryptography have thus far been shown to provide viable options, namely optical fiber cable, 
and (perhaps surprisingly) the atmosphere around us. The demonstrations conducted thus 
far have proved that it is possible to carry out quantum cryptography at low throughput 
rates, thus far not exceeding a few thousand bits per second. Our interest is in analyzing the 
possibilities for increasing the effective throughput rate for practical quantum cryptography 
systems to a range that is high enough to allow for the real-time encryption of useful volumes 
of data. 

Recent progress in high-speed photon detection, high-speed laser optoelectronics, wavelength 
and time division multiplexing and lasercomm terminal miniaturization has occurred which 
makes it for the first time possible to contemplate the design of high-speed quantum cryptog- 
raphy systems. In addition to determining how to optimize quantum cryptography systems 
built out of currently available technology (and ensure that such systems will be perfectly 
secret in the presence of system imperfections), our analysis identifies the problems, pro- 
vides corresponding solutions and demarcates the various constraints that will govern the 
development of high-speed quantum cryptography as new technology appears. The actual 
implementation of high-speed quantum cryptography systems would be invaluable, allow- 
ing for the first time the the practical possibility of one-time-pad-encrypted, undecipherable 
high-speed communications in bulk. If this can be achieved it will offer an essentially new 
degree of security in future high-bandwidth communications. 
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2 Introduction 



2.1 Overview 

Quantum key distribution (QKD) is a promising approach to the ancient problem of pro- 
tecting sensitive communications from the enemy. ^ QKD is not in itself a method of enci- 
phering information: it is instead a means of arranging that separated parties may share a 
completely secret, random sequence of symbols to be used as a key for the purpose of enci- 
phering a message. Our objective is to elevate the use of quantum key distribution to the 
status of supporting full end-to-end real-time Vernam encryption 0|2]- The Vernam cipher 
system (or systems based on it) provides the only known cryptographic method of achieving 
unconditionally secret communications.^ We thus envisage an end-to-end cryptosystem that 
includes an initial phase of quantum key distribution and a subsequent phase of encryption 
with the method of the Vernam cipher, continuously and at useful, high data throughput 
rates. There have been a number of experimental demonstrations of QKD reported recently 
[SI in El El 13 El El Hm m] that have been important in indicating the viability of the concept 
and in suggesting that it might be possible to incorporate QKD in practical systems appli- 
cations. The initial demonstrations of QKD have been at low data throughput rates, none 
exceeding a few kilobits per second. However, the application of quantum key distribution 
at low data throughput rates does not support unconditionally secret Vernam encryption of 
modern communications data volumes, although implementation of quantum key distribu- 
tion at low rates can indeed be useful as a means of distributing the cryptovariables that 
are used in traditional, classical symmetrical cryptography.^ For this purpose QKD systems 
operating at low data throughput rates of order a few thousand bits per second are perhaps 
adequate to play a supporting role for classical enciphering systems. However, classical cryp- 
tography (symmetrical or not) is not unconditionally secret, with the sole exception being 
the Vernam system (or systems directly based on it). There are situations and circumstances 
for which it is desirable, and in some cases absolutely essential, to increase the secrecy to the 
level possible only with the use of the Vernam cipher method. However, since the Vernam 
method requires a shared cipher at least as long, bit for bit, as the plaintext message to 
be enciphered, and moreover may under no circumstances be used more than one time, it 
is clear that slow data rates for key distribution^ will not work. Only a high speed QKD 
system can suffice to distribute, and distribute again and again as required, sufficiently large 
amounts of cipher material to support real-time Vernam encryption. We propose to reserve 

^We will sometimes em.ploy the word "enemy," following the usage of Shannon ^, to denote anyone who 
may intercept an enciphered message. 

^In the Vernam cipher system the message is referred, via the "exclusive or" (XOR) logic operation, 
to a random string of symbols, the Vernam cipher (one-time pad), resulting in another random string of 
symbols comprising the ciphertext. As a truly random string, the ciphertext is literally informationless, and 
cannot be decrypted by anyone not in possession of the random string used for the encryption. This is true 
irrespective of how much computing power they possess or which algorithms they utilize. 

■^For a review of classical cryptography, see jEl ^| ■ 

^We will use the words key and cipher to mean the same thing, since we always have in mind the Vernam 
system in particular, for which the two are synonymous. 
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the phrase quantum key distribution solely to describe the distribution of cipher material, 
and suggest that the phrase quantum cryptography be used to denote the combination in one 
complete end-to-end protocol of both QKD and subsequent Vernam encryption. Since, as 
discussed above, practical use in modern communications of the Vernam method requires 
high speed data throughput rates, quantum cryptography defined in this way for such an 
application is implicitly high speed quantum cryptography. In this sense practical quantum 
cryptography offers something never before technologically possible: the use of the Vernam 
cipher for those applications when unconditional secrecy is required or desirable, and indeed 
the fact that this can be done may lead to the suggestion of its use in circumstances for 
which it has previously only been thought of as an abstract idealization. 



2.2 Summary of Results 

The principal new contributions of this paper are as follows. We obtain: 

(1) A universal expression for the effective secrecy capacity that is valid in the general case 
of an actual cipher of finite length, that can be specialized to the case of an abstract cipher 
of infinite length, in eqs. ()lfJ2j) and ()lfJ4j) . In the course of the derivation we obtain three 
categories of new results: (a) exact, closed form expressions for the necessary and sufficient 
amount of privacy amplification required to ensure a secret shared key associated with direct, 
indirect and newly identified combined cryptanalytic attacks on the transmission (eqs. ()138p 
through ()140jl ). (b) a practical, universal bound on the complete privacy amplification func- 
tion that provides for useful data throughput values, while accounting for direct, indirect 
and combined individual attacks on the transmission,^ that is always at least as large as 
the minimum number of required subtraction bits required to ensure a secret shared key, 
in eqs. fll42|) through ()15H) . and (c) a complete closed- form expression for the necessary and 
sufficient number of bits required to effect continuous authentication, in eqs. ()152|) through 

(nnHD- 

(2) Complete characterizations of the total line attenuation losses, for free-space quantum 
channels, in eas.dTTnil. (ITHH|l . (fT^ . (IT^ . (IT!I)1) . (ITTin|) . m^ and (OHll . 

(3) A closed form relationship between intrinsic fractional quantum channel error and satellite- 
ground platform (or satellite-airborne platform or satellite-satellite) misalignment, in eqs. ()206|1 
and (jSni- 

(4) A closed-form expression relating the necessary amount of classical communications 
throughput to the parameters of the system, in the transmitter-receiver direction as well 
as in the receiver-transmitter direction (the two are not the same), and we obtain practical 
working values for particular systems, in eqs. ()2fi9|l . (j27()|l . ()272|1 and ()273|1 . 

^In Part One of this work we will consider those attacks that the enemy can conduct using classical 
computing machines. In Part Two we will extend the analysis to include the potential attacks that could be 
performed in the future if and when quantum computing machines are available. 
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(5) A closed-form expression relating the computational burden, measured in units of neces- 
sary machine instructions, to the system parameters, and we obtain practical working point 
values, in and below eq. ()286|) . 



(6) Universal maximal rate predictions, for a variety of quantum cryptography scenarios, 
including Earth-to-LEO satellite in clear weather, Earth-to-LEO satellite in poor weather, 
aircraft-to-LEO satellite, Earth-to-GEO satellite, GEO-to-GEO satellite and fiber-optic ca- 
ble links, in Sections 5.3.1 and 5.3.2. 



2.3 Organization of the Paper 

The paper is organized as follows. In Section 3 we carry out a complete formal derivation 
of the effective secrecy capacity and rate for practical quantum cryptography systems. We 
obtain exact, closed-form results for the entire system dynamics, including the calculation 
of exact necessary and sufficient results, as well as useful practical results for the required 
privacy amplification to ensure the unconditional secrecy of the shared cipher. Our exact 
results allow us to explicitly determine the requirements for high speed quantum cryptog- 
raphy in practical implementations. In Section 4 we perform a comprehensive analysis of 
all system losses and loads, for both free-space-based and optical fiber cable-based quantum 
cryptography systems, including in particular the full classical communications bandwidth 
requirements and the full computer machine instruction requirements needed to support ac- 
tual quantum cryptography implementations. In Section 5 we analyze precise requirements 
for and detailed methods to achieve successful practical high speed quantum cryptography 
implementations in realistic environments. Our conclusions and a discussion are contained 
in Section 6, and Sections 7 and 8 contain acknowledgements and several appendices. 



2.4 Brief Description of Quantum Key Distribution Protocol 

Here we provide a very brief description of the basic elements of quantum key distribution. 
We will illustrate this with the original four-state QKD protocol developed by Bennett and 
Brassard in 1984 known as the "BB84" protocol f^. For definiteness in this illustration 
we will assume that individual photons serve as the quantum bits for the protocol, or more 
precisely, the polarization states of individual photons. To carry out the protocol one of the 
parties transmits a sequence of photons to the other party. The parties publicly agree to make 
use of two distinct polarization bases which are chosen to be maximally non-orthogonal. In a 
completely random order, a sequence of photons are prepared in states of definite polarization 
in one or the other of the two chosen bases and transmitted by one of the parties to the 
other through a channel that preserves the polarization. The photons are measured by 
the receiver in one or the other of the agreed upon bases, again chosen in a completely 
random order. The choices of basis made by the transmitter and receiver thus comprise 
two independent random sequences. Since they are independent random sequences of binary 
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numbers, about half of the basis choices will be the same and are called the "compatible" 
bases, and the other half will be different and are called the "incompatible" bases. The two 
parties compare publicly, making use for this purpose of a classical communications channel, 
the two independent random sets of polarization bases that were used, without revealing the 
polarization states that they observed. The bit values of those polarization states measured 
in the compatible bases furnish the "sifted key." Note that, if the two parties used classical 
signals to send the key, an eavesdropper could simply measure the signals to obtain complete 
knowledge of the key. If, on the other hand, the two parties use single photons to transmit 
the key, the Heisenberg Indeterminacy Principle guarantees that an eavesdropper cannot 
measure the polarizations without being detected. The sifted keys possessed by each of the 
parties will in general be slightly different from each other due to errors caused by the use of 
imperfect equipment. A classical error correction procedure, carried out through the classical 
communication channel, is executed in order to produce identical, error-free keys at both 
ends. It is possible that an enemy may have obtained some information about the key during 
the publicly-discussed error correction phase of the protocol. In addition, it is also possible 
for the enemy to have obtained information due to the presence in the sequence of quantum 
bits of multiple photon states. The process of "privacy amplification" is therefore applied 
to the sifted, error-free key, which has the effect of reducing the information available to the 
enemy to less than one bit, with extremely high probability. 

These basic elements of quantum key distribution are discussed and analyzed in detail in 
this paper. 



2.5 Secrecy and Security in Communications 

It is important to be clear about the "security" advantage that does, and does not, derive 
from the use of quantum key distribution, quantum cryptography and the method of the 
Vernam cipher in secret communications. For this purpose we introduce standard definitions 
and discuss issues of context and application. 

2.5.1 Definitions 

"Secrecy" and "security" do not have the same meaning: the former is included within the 
latter. Stated differently, all secure communications systems provide secrecy, but not all 
secret communications systems provide security. In this paper we reserve the word secrecy, 
to mean what Shannon meant by the phrase "perfect secrecy" in his seminal work on the 
subject: Communication Theory of Secrecy Systems {cf P). The basic requirement for 
secrecy is that, in comparing the situation before the enemy has intercepted the transmission 
with the situation after any such interception (and analysis) has occurred, the a posteriori 
and a priori probabilities for the enemy to know the content of the transmission must be 
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identical.^ In an operational sense, we specifically intend the word "secrecy" to characterize, 
and apply solely to, the protection provided strictly by the cryptographic protocol alone. This 
operational meaning is best explained by placing secrecy in proper perspective in the larger 
framework of "security," or more precisely, communications security ^H]- Communications 
security, (so called "COMSEC"), may be naturally split into four separate categories (there 
are other ways of organizing these concepts - here we invoke the standard scheme advocated 
by the U.S. National Security Agency in [T^): 

(1) cryptosecurity - [The] component of communications security that results from the pro- 
vision of technically sound cryptosystems (emphasis added) and their proper use. 

(2) emission security - Protection resulting from all measures taken to deny unauthorized 
persons information of value which might be derived from intercept and analysis of compro- 
mising emanations from crypto-equipment, computer and telecommunications systems. 

(3) physical security - The component of communications security that results from all 
physical measures necessary to safeguard classified equipment, material, and documents 
from access thereto or observation thereof by unauthorized persons. 

(4) transmission security - [The] component of communications security that results from the 
application of measures designed to protect transmissions from interception and exploitation 
by means other than cryptanalysis. 

The word secrecy throughout this paper means no more and no less than cryptosecurity, 
in the sense of definition (1) above. This is the secrecy protection afforded purely hy the 
cryptographic protocol against purely cryptanalytic attacks only. Unconditional secrecy refers 
to secrecy that remains intact when the cryptosystem is subjected to attacks by an enemy 
equipped with unlimited time and - within the constraints dictated by the laws of physics - 
unlimited computing machinery. 



2.5.2 Technically Sound Quantum Cryptosystem Design and Practice 

What security protection should unconditional secrecy provide? Should the purview of cryp- 
tosecurity, the protection afforded specifically by the cryptosystem per se, be extended to 
include protection normally provided by the other three elements of COMSEC? The answer 
to this question is "no." Stated more precisely, if a so-called "technically sound cryptosystem" 
is properly operated, with the consequent balance between the four elements of COMSEC 
that this implies, there should be no need for such an extension of purview. It is not the 



^Of course, if the a posteriori and a priori probabilities are indeed identical, but happen to be identically 
equal to, say, unity, then we clearly don't have a secret system. In the case of a string to be used as a 
Vernam cipher we obviously also need that the probability for the enemy to know any specific bit is equal 
to 50%, independently of the ordering of the bits. Then perfect secrecy in Shannon's sense means that the 
probability for the enemy to know the entire string approaches zero exponentially quickly with the number 
of bits. 
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purpose of this paper to provide a detailed analysis of proper cryptosystem praxis, but two 
observations should suffice to illustrate the main point. 

As one example, we may imagine that a prefect cryptographic system that provides uncon- 
ditional secrecy has been set up and is in use. If the actual method of use by the secret 
communicators, however, includes "leaving the door(s) open" at one (or both) of their facili- 
ties, so that an eavesdropper can actually gain access to their system in some way, the system 
security is obviously entirely lost, in spite of the unconditional secrecy of the underlying cryp- 
tosystem. Is it reasonable to insist that the cryptosystem, per se, provide protection against 
such technically unsound cryptographic practice? The answer is "no." Before commenting 
on the technical implications of this, let us consider a different situation. 

As another example, one might try to argue (erroneously) that free-space classicalkej distri- 
bution between a satellite and a ground station is "obviously" perfectly secure without the 
need for making use of quantum bits, or even any cryptography at all. If the transmission 
consists of classical bits, encoded in optical pulses generated by a laser and propagated along 
a highly collimated beam, wouldn't it be very difficult for an enemy to actually physically 
intercept the beam at all? Wouldn't it be almost impossible for the enemy to somehow 
grab such a signal out of a highly collimated, thin beam? Of course, the beam becomes 
broader as it propagates, and moreover, it is possible for the enemy to exploit the scattering 
of such a beam but nevertheless, the answer to this question is "yes, it is difficult" but that 
is irrelevant. 

What these two examples illustrate are two extremes in regard to what protection the cryp- 
tosystem should, and should not provide. We agree strongly with the philosophy that cryp- 
tosecurity should be viewed as only one part of an overall system for ensuring communications 
security (c/[T7j). Technically sound quantum cryptosystem design, for instance, dictates that 
if it is possible to trivially prevent the enemy from modifying photon wavelengths in multiple 
photon pulses and thereby prevent the "remote" adjustment of the quantum efficiency of the 
photon detector in a quantum cryptography system by simply placing a narrow bandpass 
filter at the front of the receiving apparatus, then such a technique, which falls outside the 
purview of pure cryptography and is instead an element of transmission security, must be 
implemented.^ The point is that the fact that this is being implemented can be fully dis- 
closed, without any loss of security whatsoever, to the enemy, as there is nothing that can 
be done about it. Similarly, technically sound quantum cryptosystem practice dictates that 
the communicating parties must obtain an accurate measurement of the ambient noise along 
the quantum channel prior to the use of the system. On the other hand, potential attacks 
on the secret communication cryptosecurity, as such, must be protected against, solely on 
the basis of whatever features the cryptosystem itself provides. It is not a valid argument 
that a particular attack is "difficult," since the technological capabilities of the enemy may 
improve, and moreover, these should never be underestimated. The consequences of the 
preceding qualitative statements all translate into concrete mathematical implications for 



^This particular issue is in fact of considerable importance and is discussed in much more detail later in 
the paper. 
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the detailed analysis of the necessary and sufficient amount of privacy amplification (this is 
introduced in the next section) required in a practical quantum cryptography system, so we 
codify the meaning of this below. 

Quantum Cryptographic Conservative Catechism 

We propose the following "doctrine of reasonableness" for analyzing practical quantum cryp- 
tography systems: the Quantum Cryptographic Conservative Catechism (QCCC), according 
to which (1) it is presumed that both the physical hardware design and the actual operation 
of any QC system will together furnish a technically sound cryptosystem as determined both 
by the precedents already established through the history of cryptology and new features 
specific to quantum communications, and (2) any proper theoretical analysis of the perfor- 
mance characteristics of a practical QC system must incorporate the underlying assumption 
that the enemy is limited solely by the laws of physics, relaxed only to the extent that it is 
reasonable to take condition (1) into account. This is the approach followed in our study. 
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3 Theoretical Analysis of Effective Secrecy Capacity 

In this chapter we will perform a careful derivation of the functions that provide a full ac- 
count of the operating characteristics of a general QKD system. Our analysis is specifically 
constructed to characterize the Bennett-Brassard Four-State (BB84) QKD protocol ^^, or 
more precisely, a set of generalizations that include the original BB84 protocol as a special 
case.^ The figure-of-merit for the operating characteristics and secrecy of a QKD system 
is provided by the effective secrecy capacity, S, in terms of which we may define the ef- 
fective secrecy rate for the system, 7?..^ These quantities provide a full characterization of 
the operating characteristics of the cryptographic communications system set up between 
the legitimate communicating parties, traditionally referred to as "Alice" and "Bob." The 
effective secrecy capacity is defined as the ratio of the final length in bits, of the secret shared 
cipher, to the number of bits initially transmitted by Alice to Bob in order to establish the 
final cipher. The "final length" is the length of the string after the full execution of the 
protocol, including all of the required error correction, privacy amplification and continuous 
authentication^^ has been applied to the original, "raw" string, i.e., the transmitted string 
that has not yet been subjected to any processing at all. We denote the number of "raw" 
pulses^^ sent by Alice to Bob as m, the number of bits in the compatible polarization basis 
that actually reach Bob as n, the number of those bits which are in error as ct, the total 
number of bits that must be subtracted^^ from the string in order to effect privacy ampli- 
fication as s, the privacy amplification security parameter as Qpa, and the number of bits 
required to be subtracted in order to carry out continuous authentication as a. Then the 



®Iii fact, the use of a source of data bits that produces an admixture of single- and multiple-particle states 
means that the system does not implement the original, pure BB84 protocol, which by definition requires 
pure, idealized qubits represented by single particle states. However, our analysis is sufficiently general to 
include all such implementations. In addition, although our analysis does not focus specifically on quantum 
cryptography with entangled states, such as the Ekert protocol ^Hl or the recently demonstrated entangled 
state variant of the original BB84 protocol ^HJ, our results can be modified to apply to it as well. Work is 
in progress on the latter topic, which will appear as Part Two of the current work |2(J| . 

^In our calculation we shall adopt, and considerably expand, the notational scheme introduced by Slutsky, 
et. al. in |21j of the various system characteristics and capacities. Our analysis is more complete than 
previous treaments in accounting for all relevant system processes, and our use of previously established 
notation will in particular make it easy to identify the ways in which our analysis extends previously obtained 
results in this area. 

^°It is essential in any complete analysis of the characteristics of a QKD system to fully account for what 
we refer to as "continuous authentication." (The authors thank a contact at the U.S. National Security 
Agency for suggesting to us the phrase "continuous authentication.") Authentication is intended to ensure 
that only legitimate parties may communicate via a cryptographic system. We require the minimum amount 
of authentication, but no less than that, in order to preserve the integrity of the QKD protocol. Continuous 
authentication, for every single transmission between Alice and Bob, is absolutely required, but has not 
been thoroughly studied before. It is not sufficient to "authenticate" once, as repeated attempts at system 
intrusion may be made by the enemy. In this paper we carry out a full analysis of this process, along with 
all other relevant system processes. 

^^This number includes the "empty" pulses - those for which the filtering applied to the output of the 
laser has resulted in the statistical extinction of the photon content. 

^^The privacy amplification subtraction function, s, is defined here so as not to include the privacy ampli- 
fication security parameter gpa- 



effective secrecy capacity is defined as^^ 

^ _ n- er - s - gpg- a 
m 
The effective secrecy rate corresponding to the effective secrecy capacity measures the effec- 
tive throughput of secure Vernam cipher in bits per second and is given by 

7^ = r^^S, (2) 

where r is the bit cell period, the period of time that is required for the system hardware to 
transmit one signal from Alice to Bob, "reset" itself and become ready to transmit the next 
signal. 



3.1 Derivation of Effective Secrecy Capacity 

We want to determine the conditions under which a fully realistic, practical system imple- 
mentation of the BB84 protocol for quantum key distribution can produce unconditionally 
secret, shared key material between Alice and Bob. Moreover, we want to discover those 
conditions under which we may obtain the highest possible data throughput rate so that we 
can use the shared key as a real-time Vernam cipher and thus legitimately speak of end-to- 
end quantum cryptography, i.e., an unconditionally secret communications system capable 
of supporting large volumes of data. For this purpose we need to obtain an explicit, closed 
form expression for the effective secrecy capacity that directly expresses S in terms of the 
actual operating parameters for a realistic system implementation of quantum cryptography. 



3.1.1 The Sifted Key and the Transmitted Errors 

We will deduce explicit expressions for the various quantities that appear in the expression 
for the effective secrecy capacity, starting with the length of the sifted key and the length 
of the transmitted error part. We will assume that the "Alice" system instrumentation 
principally includes a pulsed laser which generates pulses of light in the form of coherent 
states. This assumption can be made without loss of generality since, as will be evident 
below, our formulation will include as a special case the situation in which Alice instead 
utilizes a device that, through whatever means, produces only single-photon states. The 
state function for a fiducial coherent state produced by the laser is given by^^ 



i'^)=f:\A-4e'io (3) 

1=0 * *• 

^^We choose a definition of the effective secrecy capacity appropriate for the QKD protocol in which error 
correction is effected by identifying and discarding, rather than identifying, correcting and retaining, the 
error bits. Our analysis can be easily adapted to the case where error bits are identified, corrected and 
retained. This is consistent with the conservative approach adopted throughout our analysis and means that 
the various rate predictions we will make in fact constitute lower bounds on achievable throughput values. 

^*The enemy, in general, will not detect potential intercepted states precisely as coherent states, but will 
intstead (due to lack of a phase reference) detect a mixture of Fock space states that are characterized by 
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where is the quantum mechanical phase and /i is defined as the expectation value of the 
number operator, and in practice is the mean photon number per pulse. The number of 
photons produced is thus characterized by a Poisson distribution. We denote by x (/^; ^^e 
probability that a laser pulse (in a stream of pulses characterized by /i) will contain exactly 
/ photons and thus 

X (/i, /) = e-^^ . (4) 

We will sometimes find it convenient to use the notation 

ij,{fi)=x{f^,l) = f^e->^ (5) 

and 

^2 (/i) = X (/^, 2) = ^e-^ (6) 

for the probabilities that exactly one and two photons, respectively, are in a pulse. 

In the same manner we deduce that the probability, ip>i, that a laser pulse will contain one 
or more photons is given by 

oo / 

1=1 ''■ 

and that the probability, '0>2, that a laser pulse will contain two or more photons is given 

by 

oo / 

1=2 '■■ 

In our analysis of quantum key distribution^^ we assume that Alice prepares and launches 
in the direction of Bob a number, m, of laser pulses, referred to as the raw hits. The time 
required to prepare, launch and ready the system to prepare another pulse is the hit cell 
period, r. The overall QKD event thus lasts for a duration of mr. Out of the full set 
of m bit cells sent by Alice, a certain fraction only will survive to become potential bits 
in the secret key. In deducing the expression for the effective secrecy capacity we must 
take into account the amount of attenutation, a, that characterizes the propagation loss 
conditions of the trajectory connecting, and including, the Alice and Bob systems. We 
also need to take account of the imperfect intrinsic quantum efficiency, ?7, that characterizes 
Bob's detector, as well as the intrinsic dark count probability, r^- Alice and Bob follow the 
standard protocol, whereby the polarization hases (but not the polarization states) of the 
bits collected by Bob are publicly discussed and compared between Alice and Bob. The 



a Poisson distribution and described by an appropriate density matrix |22j . This fact has no bearing on 
the calculation of the number of sifted bits shared between Alice and Bob, as they do possess the necessary 
phase reference, and thus the use of explicit coherent states is appropriate. 

^^In strict accuracy one should refer to the QKD protocol as quantum key expansion, rather than distribu- 
tion, since the success of the entire process requires that Alice and Bob be in possession of a suitable initial 
authentication string, which must be secret. This topic of authentication is discussed in much greater detail 
below. 
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bases for which Ahce and Bob find themselves in agreement are referred to as compatible 
bases, and the remainder are referred to as the incompatible bases. The random orientations 
of the polarizing and polarization-discriminating apparatuses at Alice and Bob are assumed 
to comprise two completely uncorrelated sequences, so that for about half of the bit cells 
about which Alice and Bob conduct their discussion they will have noted compatible bases, 
and for the other half the bases will be incompatible. After taking into account the various 
other effects that cause the bits shared between Alice and Bob to be diminished in number, 
we can establish the number, n, of sifted bits for the QKD problem. 

In order to be as general as possible in our analysis we will formulate the expression for 
the number of sifted bits from first principles in terms of the various underlying probabil- 
ities associated to the different processes that take place. Denoting the various relevant 
probabilities by V with appropriate arguments, we have 

- Ai' 
V (/ photons leave Alice) = e '^-— = x (/^i 5 (9) 



V U' photons reach Bob / photons leave Alice) = a' (1 — a) , (10) 




V il" photons detected /' photons reach Bob) = ,,, if (1 — v) (1 " ^0,/") > (H) 

V (no dark count event) = 1 — r^, (12) 

and 

P (basis compatibility) = - . (13) 

In writing the expressions in eqs. p()|l and pijl we are incorporating assumptions on the 
statistical nature of the responses of both the qubit detector and the environmental processes 
responsible for the line attenuation. With the chosen form for the rhs of eq. ()lU|) we are 
assuming that all attenuation processes act incoherently on a /-photon pulse, and that there 
is no enhancement or suppression when / photons try to get through together. Similar 
assumptions apply in the case of eq. (|TT|l . in addition to which the factor of 1 — (5o,z enforces 
the condition that the detector apparatus may not fire when zero photons are incident upon 
it (modulo dark count events, which are described in a separate term as seen below). 

These assumptions are quite reasonable, and they have evidently been implicitly adopted in 
all previous work on this subject {e.g., \2\\ I23j). but we here for the first time make them 
explicitly clear. In fact, the final explicit form for n obtained in eq. ()15|) below presumably 
only follows upon making these two specific assumptions.^^ 

^^ Analysis of any specific forms for the number of sifted bits, n, that may arise upon making different 
specific assumptions about the processes that underhe eas. fTn| and lfTT|l appears to have never been carried 
out. This is a worthwhile area for future research. 
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We may now deduce the expression for the number of sifted bits by assembhng the appro- 
priate probabihties, to yield 



n 



mi 



^ "P (/ photons leave Alice) 
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xV il' photons reach Bob / photons leave Alice 
xV il" photons detected /' photons reach Bob) 
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ip>i (rjna) + Td 







(14) 
(15) 



where ip>i, the probability of encountering one or more than one photon in a pulse, is 
defined in eq.(|7)). In the last step above we have neglected r^ in comparison to unity, 
which means that we are ignoring the dark count coincidence events, for which a dark count 
occurred in precisely the same bit cell as an authentic photon detection event (this is a valid 
approximation for a good QKD system equipped with a detector apparatus characterized by 
a small dark count rate). 
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As discussed below eq.()13p. the form that we have derived for the number of sifted bits 
depends on those assumptions that underhe egs- ljlUp and pi|) . In addition to these assump- 
tions, the result obtained in eq. (|T5|) above requires making the further assumption on the 
intrinsic properties of the quantum channel that the Poisson distribution of photon number 
that characterizes the output of the source laser at the Alice end also describes the state 
received at the Bob end of the quantum channel. 

Let us consider the meaning of the terms in the square bracket in eq. ()15|l above. The 
first term, ip^i {rjfia), is the contribution to the number of sifted bits due to the bit cells 
comprised of single-photon and multiple-photon pulses characterized by an effective mean 
photon number per pulse of 77 x /i x a, reflecting the fact that the stream is subjected 
to the effects of both line attenuation and imperfect detection by Bob's apparatus. The 
remaining term is simply the contribution to the number of sifted bits due to those dark 
counts occurring in Bob's apparatus that do not occur in a bit cell for which an authentic 
photon detection event takes place. 

We also need to deduce the number of sifted bits that are in error, e^. The calculation is 
similar to that for n, where we now take into account as well the intrinsic quantum channel 
error rate, Vc- In our parametrization of the QKD problem, Tc measures only the tendency 
of the system arrangement at Alice and Bob, along with the intrinsic properties of the 
quantum channel itself, to cause polarization misalignment and dispersion of photon arrival 
times between the instruments at Alice and Bob, as we are assigning to other quantities (77, 
Tfi and most significantly, a) the role of measuring other system imperfections. In the case of 
a free-space QKD system in which Alice and/or Bob are located on a moving platform, such 
as a satellite, Tc may be a measure of the actual physical misalignment of the apparatuses 
at the two ends. In the case of a fiber-optic cable QKD system, r^ may be a measure of 
certain dispersion effects intrinsic to the cable. In calculating ct we also take account of the 
fact that the dark counts produced by Bob's detector instrument will, by coincidence, be 
"wrong" half of the time, so that the factor of r^ that appears in the expression for n must 
be replaced by rd/2. 

Following the same approach used to deduce eq. ffTSj) we may assemble the necessary probabil- 
ity functions and carry out the required calculation to obtain the expression for the number 
of transmitted error bits, ct, which is found to be given by 



m 

Ct = — 

2 
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1 - yj r^il}>i {r]fia) + -^ 






(16) 
(17) 



where in the second line above we have made the same approximation utilized in deriving 
eq.p5|) and neglected r^ in comparison to (in this case, twice) unity. 
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Monitoring the Statistics of the Detection Events 

It may be advantageous for Alice and Bob to specifically exclude from the sifting process 
those bit cells which are manifestly associated with multiple photon pulses, since these bit 
cells provide an opportunity for the enemy to obtain information on the final, shared key. For 
this analysis, we envisage a generic, purely passive Bob apparatus suitable for use in the BB84 
protocol consisting of four photon detectors, ^^ for which there is a calculable probability that, 
given a multi-photon pulse with / photons incident on the apparatus, one and only one of the 
four detectors will click (we use the word "click" to refer to the registration by the detector 
of an incident photon). We will express this as the confounding probability that Bob will 
not be able to distinguish a multi-photon pulse from a single-photon pulse, and denote this 
probability by z [r], I), where in general there is a dependence on both the photon number / 
and the detector efficiency 77. Thus, Bob and Alice can agree to discard those multi-photon 
pulses that manifestly produce more than a single click at Bob's detector (leaving only those 
multi-photon pulses that happen to produce a single click), and we can incorporate this 
condition quantitatively in the expression for the effective secrecy capacity. This will result 
in a shortened length for the sifted string, apparently thus reducing the possible value of the 
effective secrecy capacity. However, this procedure will also reduce the size in bits of the 
associated privacy amplification subtraction amount, thus potentially increasing the effective 
secrecy capacity, and so the two effects compete with each other. Because of the complicated 
dependence on the various parameters that characterize the QKD problem, such as the line 
attenuation, the mean photon number per pulse, the detector efficiency and others (as derived 
in detail below), it is not clear a priori which term will dominate. Such a scheme is a variant 
of implementations of BB84 employing weak coherent pulses in which no distinction at all 
is made between single- and multiple-photon pulses, and it is designed to explore the extent 
to which we can optimize the throughput rate as well as guarantee unconditional secrecy 
identical to that achievable if only pure single photon states are used.^^ 

To proceed, we return to the expression for the number of sifted bits derived above. To 
emphasize the contributions to n due separately to the single-photon and multi-photon 
pulses we can rewrite eq.f|T5|l as (c/eqs.(jS}, ((Zj) and (jH))) 



m 

n = — 

2 



ipi {r]fia) + i)>2 ivi^oi) + "fd 



Inspection of the above expression would seem to indicate that to incorporate monitoring 
of the click statistics it should be necessary to modify only the second term in the square 
brackets, since, modulo dark count coincidence events, multiple clicks can obviously never 
be produced when single-photon pulses (represented by the first term in the square brackets) 
arrive at Bob's apparatus. However, it turns out that the first term, in addition to the second 
term, must be appropriately modified, as we show. 

^^The receiver design is discussed in detail in Section 5.2 below. 

^^This extension of the BB84 protocol in fact may be further generalized to include a family of generic 
extensions, distinguished from each other by precisely how Bob monitors the statistics of the distribution of 
multiple clicks at his detector. In Section 3.2 below we discuss this in more detail. 
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To understand this, we need to suitably modify the hst of probabihties included in eqs.© to 
()13|). to allow for the characterization of the single-click detection events. For this purpose 
we replace 



/ ,// 



V il" photons detected /' photons reach Bob) = \ ,„\ff {^ ~ l) (1 ~ ^o,/") (19) 

with 

V (single click event /' photons reach Bob) = zb {rj, I') , (20) 

where, as mentioned above, in general there is a dependence in zb on both the number of 
received photons and the detector efficiency. 

The explicit form of zb {^,1), the confounding probability for Bob that, given a laser pulse 
incident upon his apparatus with / photons in it, one and only one of Bob's four detectors 
will click, will depend on (1) a model that specifies the details of the detector apparatus, 
as well as on (2) the particular click-monitoring scheme that is adopted. In the following 
we will take as a standard example a model of a purely passive setup with four photon 
detectors placed behind a pair of polarizing beamsplitters, which in turn are placed behind 
a purely passive 50/50 beamsplitter fcf Figure I25|). Having thus picked the detector model, 
we are still free to specify the click-monitoring scheme. For instance, in one such scheme we 
could require that Bob discard all bit cells in which any arrangement of simultaneous clicks 
occurs, while in another scheme we could require that only bit cells in which simultaneous 
clicks between, say, two detectors occur, but not between three detectors, etc}^ To make 
the analysis as general as possible we will make no specific assumption on this point. This 
still allows us to provide explicit expressions for the cases of zero and one photons, so that 
we have 

ZB iv,0) = 0, (21) 

Sb (r/, l) = V, (22) 

which indicates that there is a 100% chance that a detector will fire if a single photon 
impinges on the receiving apparatus, assuming a perfect detector (this may be easily verified 
to follow from the assumption of a purely passive Bob apparatus, as described above), and 
we define 

^b{vJ')[,^2 - ^B,>2{vJ') , (23) 

where zb,>2 is a kernel to be operated on by a suitable probability distribution that charac- 
terizes the distribution of the /' photons that have in some manner propagated to the input 
of Bob's detector apparatus (the use of a general expression for values of /' > 2 allows a 
general treatment without specifying a particular click-monitoring scheme). 

We may now deduce the modified expression for the number of sifted bits, Umcs (the subscript 
stands for "monitor click statistics") obtained with explicit monitoring of the statistics of the 

^^ Another possibility is that all four detectors simuhancously fire. This can only occur if at least one of 
the four firings is due to a dark count event. 
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detection clicks, by assembling the appropriate probabilities, now supplemented by eq. fpUj) . 
to yield (note that we now sum over two rather than three indices) 
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where ipi, the probability of encountering exactly one photon in a pulse, is defined in eq.(5), 
and we have defined as well 



X (/i, ^>2 (?7, a, /) ) = J2x{l^J)2>2{r],aJ) 



1=0 

Ee-'^^^>2(^,«,0 
1=0 *• 



and 



42(r/,«,0 = E (;,)«'(! 



a) ZB,>2ivJ') 



(26) 



(27) 
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and in eq.()25|) we have once again ignored r^ in comparison to unity. 
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Let us consider the meaning of the three terms in the square bracket in the first equation 
on the rhs of eq.()25|). The first term, rjipi (fia) (to be compared with the first term in the 
square brackets in eq. (jl8p which is ipi (rifia): note the migration of the factor of rj out of the 
argument oiipi), is the contribution to the number of sifted bits due to the bit cells comprised 
of single-photon pulses taken from a stream of pulses characterized by a mean photon number 
per pulse of /i x a and further modified by the detector efficiency, reflecting the fact that the 
stream is subjected to the effects of both line attenuation and imperfect detection by Bob's 
apparatus, and incorporating the effects of the click-monitoring procedure. The second 
term, (% (/i, /) Z>2 (r/, a, /) V is the contribution to the number of sifted bits due to those 
multi-photon bit cells that cause only a single click to occur amongst the four detectors in 
Bob's apparatus. (Those multi-photon pulses which cause multiple clicks in Bob's device are 
watched for and discarded.) The remaining term is simply the contribution to the number 
of sifted bits due to those dark counts occurring in Bob's apparatus that do not occur in a 
bit cell for which an authentic photon detection event takes place. 



Eq.(14) can in fact be recovered as a special case of eq.()24|). It is easy to see this by rewriting 
rimes instead as a sum to manifestly include single photon pulses, so that we have 
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X (/i, /) i>i (r/, a, /) 
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(29) 



(30) 



The sum over /' in the above expression could just as well be allowed to range from zero to 
inflnity since zb {tj, 0) vanishes indentically. We have here marked the sum as beginning at 
I' = 1 merely to emphasize speciflc value of the one-photon contribution in the result. 



^''We employ a non-standard notation for averages, explicitly including inside the brackets the specific 
distribution function with respect to which the average is defined, and in particular including the argument 
of the distribution. This is done to make clear which discrete variable is being summed over in every case. 

^^In deriving the results in eas. H24(l and ea. (|25|l we have also made use of the fact that, for integer values 
of I, one has T (-/) -^ oo ^ l/T (-1) = V ^ > 1. 
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Clearly, making the replacement 
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(31) 
in eq.(j2ni) and carrying out the sums results in a specialization from rimes =^ n, corresponding 
to our previous analysis in which Bob makes no attempt whatsoever to distinguish single 
photon pulses from multiple photon pulses. 

We also need to deduce the modification of the number of transmitted errors necessary to 
account for the click statistics monitoring prescription by proceeding as in the derivation of 
eq.(|25p. from which we obtain 

er.mcs = —i\i-^]rcr]^i{fia) + (x{f^,l)2:>2{'n,a,l)) + ^} (32) 

(33) 

The functions rimes and eT,mes given in eqs.iP^ and (jHHj) are quite general expressions that 
are valid for any multi-click monitoring scheme provided one uses a detector model such 
that there is unit probability (modified by rj) that one detector will click given that a single 
photon impinges on Bob's apparatus (c/eq.(22)). 

A Digression on an Incorrect Approach to Calculating S 

At first it might appear that a straightforward derivation of the effective secrecy capacity S, 
starting from the definition provided in eq.([Q), would consist in a different development than 
that which was presented in the derivation of eq. (fT3j) . The issue here is how to calculate the 
expression for the number of sifted bits, n (and, directly following on that, the number of 
transmitted error bits Ct)- One might think that the derivation of n should consist in the 
following argument. One would first note that the probability that a bit cell produced by a 
pulsed laser (generating a flux of /i) will contain one or more photons is given by ip>i (//) (c/ 
eq-O)- Since we are interested in considering the fate of precisely those bit cells that contain 
one or more photons, it might then seem that the construction of n should consist merely 
in multiplying tp^i (/i) by the quantum efficiency rj of Bob's detector apparatus to account 
for the probability that the pulse will actually be detected, and by the line attenuation a to 
account for the signal loss incurred in the passage from Alice to Bob, adding to this product 
the dark count r^, and finally multiplying the entire expression by m/2 to account for the 
50% loss expected from incompatible basis orientations. In this manner one would derive 
the quantity 



m r 



n 



r]tjj>i (fi) a + rd 



(34) 



for the number of sifted bits, where we use the notation "n" to distinguish this incorrect ex- 
pression from the correct expression for the number of sifted bits given by n in eq.()15|) above. 
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Upon comparing eqs. ()34|) and p5|) we see that the difference between the two expressions is 
in the factors ip>i {vf^(^) versus rjip^i {jj) a. It is clear, however, that the quantity given in 
eq. ()34|1 certainly cannot be correct in general. 

To see this, suppose that some number of sifted bits are established by using a particular 
QKD setup. Now imagine that the intrinsic quantum efficiency, r/, of the detector apparatus 
is somehow doubled in value to 2r]. For instance, suppose that the original value of 77 is 
45%, and we can double its value to 90%. If the mean number of photons per pulse, /i, is 
sufficiently small, say much less than unity, we would expect that the corresponding number 
of detection clicks at the detector should double. However, if instead /i was a very large 
number, say /i ~ 1000, we would expect that each bit cell that reached the detector would 
cause it to click anyway when we had 77 = 45%, so that doubling 77 to 90% should not cause 
the number of arriving bit cells that cause a click to become larger. 

In fact it can easily be seen that the quantity rjip^i (//) a furnishes a lower bound to the 
quantity ip>i {rj^a). This is illustrated numerically in the figure below. Noting that the 
product ?7 X a satisfies the inequality < 77 x a < 1 since both < 77 < 1 and < a < 1, we 
plot curves that compare the values of rjipyi (//) a with %Ij>i {rjfia) for four different values of 
/i. 
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Figure 1: Comparison of r]'^>\ (/i) a with ?/^>i {r]\ia) 

In each of the four graphs, the upper curve is the function '0>i ('7Ata) and the lower curve the 
function 7/'i/'>i (yU,) a. It might still appear that it would be sufficient to make use of the latter 
function in the expression for the the number of sifted bits, 77,, since, as a lower bound on the 



29 



correct expression, one would at worst be underestimating the effective secrecy capacity S. 
After all, if rjipyi (/i) a, provides a lower bound to ip>i {rjfia) then we have "n" < n as well, 
so one might think that the effective secrecy capacity S is lower-bounded in this way as well. 
However, that is not in general guaranteed to be true. In fact each term in the numerator of 
S in eq.dH), with the exception of gpa, is a function of /i. (We will be developing the explicit 
//-dependence of the quantities contained in the term s in S, as well as that of a, in the 
sections below.) Each of these functions is, moreover, a function as well of other quantities 
such as a, t], etc., which give rise to a complicated parametric behavior. 



3.1.2 Privacy Amplification: General Remarks 

In the defining expression for the effective secrecy capacity, S, given in eq.(0), s is the 
number of bits of the sifted, error-corrected key that must be discarded to implement privacy 
amplification. This number should be no less (and, ideally, no more) than the number of 
bits that are "at risk," in the sense that the eavesdropper may have been able to obtain 
information as to their values. We refer to s as the privacy amplification subtraction function. 
According to the privacy amplification theorem [21], assuming the use of a representative 
of the appropriate class of hash function, if s bits are removed from the shared key and 
upon removing an additional Qpa bits,^^ it is guaranteed that the probability, P, that the 
eavesdropper can know one, or more than one bit of the remaining key is given by^^ 

P<^- (35) 

There are three possible ways in which the eavesdropper might gain partial information about 
the shared key: (1) The execution of any particular error correction protocol requires that Al- 
ice and Bob exchange information via the public channel. Although this channel is assumed 
to be secured against spoofing by the eavesdropper through the use of a suitable authenti- 
cation protocol (discussed fully in Section 4.4.1), the channel is nevertheless assumed to be 
completely open to eavesdropping and monitoring, and leakage of information is accordingly 
possible. (2) The "pure" BB84 protocol, by which we mean the original idealized protocol in 
which only authentic qubits, i.e., single-particle states are transmitted, is provably perfectly 
secret in the sense defined by Shannon P^I26|l771 l28j. However, unless the quantum channel 
is perfect and completely free of any noise whatsoever, it is possible for the eavesdropper to 
obtain some information from the single particle transmitted states by exploiting the pres- 
ence of the noise in the channel. Thus, in any practical system implementation it is necessary 
to account for the possibility of information leakage due to measurements performed even on 
the single particle states. (3) Much attention has been devoted to the use of weak coherent 
pulses generated by pulsed lasers in implementing QKD. In this case, and indeed in any case 
in which any sort of imperfect source at alP^ is employed, it is in fact possible in principle 

^^The symbol gpa, which will be discussed in more detail in Section 4.4.1, is referred to as the privacy 
amplification security parameter. 
^•^Privacy amplification is described in much greater detail in Sections 3.1.2, 3.1.3, 3.1.4 and 3.1.5 below. 
^''This applies both to attenuated lasers and nonlinear crystals. 

30 



for the eavesdropper to obtain information from suitable attacks on the multi-photon pulses 
in the stream, and this potential information leakage must be accounted for in deducing the 
amount of required privacy amplification subtraction that should be carried out. 

The quantity s is thus given by 

s = q + t + u, (36) 

where q is the Renyi information (in bits) leaked via error correction, t is the Renyi infor- 
mation leaked via measurements on the single-photon pulses, and z/ is the corresponding 
quantity associated to attacks performed on the multiple-photon pulses. ^^ 



3.1.3 Privacy Amplification: Error Correction 

Since q should provide a bound on possible information leakage caused by eavesdropping on 
the process of error correction, it is natural to define q so that it is measured in units of error 
bits. We therefore write 

q = Q -er, (37) 

so that we must deduce the appropriate form for the bounding function Q, which in all 
generality should satisfy the equation of state given by 

Q = Q{x,n,eT) , (38) 

where, in addition to the dependence on n and ct we also introduce and define a parameter 
X > 1 to measure the degree to which Alice and Bob approach the Shannon bound for perfect 
error correction in whatever error correction protocol that they utilize. We will refer to x 
as the Shannon deficit parameter, where x = 1 corresponds to prefect error correction. It is 
clear that the bounding function Q should depend on n and e-r through the ratio ex/n, the 
error fraction, so that the equation of state becomes 

g = g(^x,^) . (39) 

Note that in the limit of vanishing dark count, r^ = 0, the ratio ex/n reduces to the intrinsic 
channel loss, so that we have 



n 



= r, . (40) 

To deduce the explicit forms for Q and g, we need to determine the entropy associated with 
the information potentially leaked due to eavesdropping on error correction. This is provided 
by the Shannon entropy function for binary information states, which is given by 

/i(C) = -Clog2C-(i-C)log2(i-C) (41) 



^^We restrict attention to privacy amplification carried out with classical computing machines. So-called 
"quantum privacy amplification" |29| implemented with quantum computing machines will be considered in 
Part Two of this paper. 
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where ( is the transmitted bit error fraction. Since the bit error fraction associated to 
the n-bit sifted string is given by ex/n, the minimum amount of information that will be 
leaked will be for the case of perfect error correction in which the Shannon limit is attained, 
corresponding to a; = 1, and is given by 

qmin = nh( — ] . (42) 

In practice, perfect error correction cannot be attained, so an additional fractional amount 
of information measured by the Shannon deficit parameter will be leaked. Thus, the total 
information leakage, q, due to error correction is given by 

q = xnh ( — j . (43) 

Comparing (flH)) with (pTj) we deduce 

Q(x,C) = ^. (44) 

Since Q depends on n and Ct only through the ratio of the two, we see that the ?7i-dependence 
{i.e., the dependence on the number of raw bits) drops out entirely fcf eqs.(fT3j) and (fT7|) ). 
This will be a useful fact in determining important characteristics of the behavior of QKD 
systems. In particular, the form of Q is such that the expression is identically exact in the 
limit of an arbitrarily long cipher and a cipher of finite length. 

3.1.4 Privacy Amplification: Single Photon Pulses 

Although in the idealized case of a noiseless channel the quantum mechanical properties of 
the single-photon states guarantee the perfect secrecy of the transmission against any and 
all attacks by "Eve" (the conventional name used to denote the enemy), the fact that there 
is noise in a practical quantum channel provides an opportunity to nevertheless carry out 
measurements which may provide some information to the eavesdropper. The eavesdropper 
can generally attempt to be clever and simply not measure too much, hoping thereby to not 
generate too much noise, by "flying under the radar" of the noise present in the quantum 
channel.^^ Following the nomenclature of [201, we refer to the function that counts the 
number of required privacy amplification subtraction bits associated to this possibility as 
the defense frontier function, as it maps out the safe "frontier" for a sufficient amount of 
privacy amplification. The specific form of this function that is appropriate to the special, 
limiting case of the distribution of a cipher of infinite length was first obtained by Liitkenhaus 
in J2I] . The generalized form appropriate to actual ciphers of finite length (which includes 
the previously obtained version applicable to infinite length ciphers as a special case) was 
later obtained by Slutsky, et.al. in |3Uj . 

^^Terminology aside, this is in fact a rather apt analogy, since in flying under the radar a pilot tries to 
mask the radar signature of his aircraft in the radar clutter that is copiously present near the surface of the 
earth. 
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In the approach adopted in [20], a defense frontier function was constructed so as to ensure 
that a "successful" attack against the sifted, error-corrected bits could not be carried out 
with a probability any larger than a selectable infinitesimal quantity, e.^^ The detailed 
calculation produced a quantity that provides sufficient, but not necessary and sufficient, 
privacy amplification subtraction to guarantee the desired result. In our application of the 
defense frontier function, unlike in the original derivation given in jSU], we explicitly restrict 
the arguments of the defense frontier function, t, to the single photon parts only of the 
numbers of sifted and error bits, which we define, respectively, as fcf eqs. fllSp and (fTTj) ) 



ni = ni{r],fi,a,rd) 
_ m 



tpi {r]fia) + Td 



(45) 



and 



Ct,! 



eT,i{'n,ii,a,rc,rd) 



m 



r^i/ji {r]fia) + -j 



(46) 



The reason for this restriction, discussed more fully in Section 3.1.5 below, is that in our anal- 
ysis we additively split into completely separate terms the privacy amplification subtraction 
functions associated to the single- and multiple-photon pulses. 

With the proviso that we restrict the functional arguments as indicated above, we may adapt 
the derivation of jSO] to obtain as the explicit expression for the defense frontier function 



t(ni,eT,i,e) 



(ni - eT,i) I^ax ( -— 

\ 1 1\ 



+ ^ ('^i, e) ) + ^ (^1, e) ni (ni - er.i) 



1/2 



(47) 



where I^ax i^ ^^e maximum average amount of Renyi information leaked to the eavesdropper, 
with lS:„^ calculated to be 



fR 



and C, is defined by 



(C) 



^('^i^e) 



logs 




V^i 



erf 



-1 



(48) 



(49) 



^^ Quoting the analysis provided in |8()| . we define a successful attack as one which introduces some number 
of errors Ct into an n-bit sifted data string resulting from an m-bit transmission, while yielding the enemy 
an amount of Renyi information / > t{n,eT,e), where t{n,eT,e) is the defense frontier function displayed 
below. As we discuss below, our treatment departs somewhat from the analysis given in |30j in explicitly 
restricting consideration here solely to the single-photon pulse part of the entire transmission. This point 
was left unclear in the original treatment. 
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We note here that the expression for /^^^ given above is in fact precisely the same as an 
associated expression derived by Liitkenhaus in |SDE21; although it doesn't look like at it 
first sight. ^^ 

Recall that in the previous section we chose a form for the quantity q = Qct (the bound on 
the amount of Renyi information that may be leaked to the eavesdropper) that is measured 
in units of error bits. This is natural in view of the fact that this information leakage 
is associated with eavesdropping on the error correction process. In the same way, we 
express the defense frontier function in the form t = Tct, introducing thereby an explicit 
dependence on both e^ and ct,!, since the result of any measurements on the single photon 
pulses is to necessarily generate some number of errors in the transmitted string. Here we 
have introduced the new function T which plays a role similar to that of Q, in that it is a 
bounding function on the privacy amplification subtraction amount. Upon writing this out 
explicitly we find 

t (rii, ct, ct,!, e) = T (ni, ct, cta, e) ■ ct , (50) 

where^^ 




T(ni, 6^,6^,1, 6) = (--^)/l.(^ + e(r^i,e))+ani,6)^(l-^ 

Ct / \ ni / Ct \ rii 



1/2 

1/2 



V ni ' / ' er,i V ni 

(51) 

Unlike Q, T does not depend on n and Ct (restricted here, of course, solely to the single- 
photon pulse parts) only through terms that are functions of the ratio of the two, for which 
the m-dependence identically drops out entirely. In addition, due to the presence of ^, T 
includes a dependence on m that does not intrinsically cancel out. Thus, the infinite-cipher 
limit and finite-length cipher version of T are not identical. A straightforward calculation 
reveals that 

lim ^(ni,e) = (52) 



and 



so that we have 



ni /, Cta 



lim^UK'^)— (1- — I'^'HO' (53) 

•^^ Cta \ ni 



JimT(ni,eT,eT,i,e) = (^^ - 1 j 71^ (^|il 

= Too , (54) 

which is independent of both m and e. As stated above, this form recovers the expression 
for ciphers of infinite length first obtained by Liitkenhaus. 



^^The two versions of the maximuin average Renyi entropy become manifestly equal through the rescaling 
Crescaied ^ jz^ , as pointcd out in [321. 

^^In the approximate form of ea. (|51|l we are neglecting terms of the first order of smallness as given by 
^^ ~ 1 — [rc'0>2/ {rc'fpi + ^)] + • • •, with a similar expression for ni/exA- Recall fcf eas. ((T^ . (|15|l . etc.) 
that the argument of both of the functions ipi and ?/;>2 is 77^0; << 1. 
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3.1.5 Privacy Amplification: Multiple Photon Pulses 

There is reason to be concerned about the effect on the secrecy, and hence the security, 
of QKD systems when pulsed lasers are used to generate weak coherent pulses in place of 
ideal, perfect qubits. Indeed, the use of any imperfect source, such as excited nonlinear 
crystals, must be considered to be potentially problematic in this regard. This concern 
stems from the fact that, unlike the case for single-photon pulses, multi-photon pulses offer 
the opportunity in principle for an eavesdropper to obtain full information on the bit value 
encoded in the polarization state. However, this problem can be completely neutralized by 
employing a sufficient amount of privacy amplification in the processing of the shared key. 
It is essential in the analysis of this problem to use the proper tool, which is the complete, 
comprehensive form for the effective secrecy capacity of the system. Thus must include all 
the contributing terms, and in particular must include a complete characterization of the 
full amount of privacy amplification due to all causes (as well as the full amount of shared 
key material that must be removed to implement continuous authentication). As always in 
this analysis, it is required to determine at least the minimum number of subtraction bits for 
privacy amplification; it is acceptable (although undesirable) to overestimate this number, 
but it is strictly unacceptable to underestimate it.^'' 

The detailed analysis of the privacy amplification associated to multi-photon pulses is rather 
complicated. As we cannot know in advance precisely how the enemy will choose to attack 
these pulses, it is necessary to enumerate all possibilities by providing a complete taxonomy 
of all attacks, after which the various possibilities may be compared against each other to 
ascertain which are the strongest in various circumstances. It is then possible to deduce 
the expressions for the requisite amounts of privacy amplification. To provide an overall 
perspective of the various steps in the logic we illustrate the structure of the analysis with a 
flow chart in Figure |21 

The "Pyrrhic Victory" Approach to Privacy Amplification 

It would of course be possible to guarantee absolutely that none of the information resident 
in the multi-photon portion of the stream be available to an enemy, by simply carrying out 
sufficient privacy amplification subtraction to discard all of the bit values associated to all of 
the multi-photon pulses. This effectively and completely solves the problem of the vulnera- 
bility of the information in the multi-photon pulses, and moreover considerably shortens the 
analysis! The entire information content of the multi-photon part of the transmission is given 
by ip>2 (/^), so that we could denote the total privacy amplification subtraction function by 
z/pyrrhic and simply write 

'^Pyrrhic = V^>2 (/i) (55) 

and be done with it, confident that the eavesdropper cannot carry out any useful attack on 



•^"^Any claim of a QKD system rate based on an underestimated numerical value for the privacy amplifi- 
cation subtraction function is potentially untenable and should be rejected as characterizing a potentially 
vulnerable communications system. 
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Figure 2: Flow Chart of Analysis of Multi-Photon Pulse Privacy Amplification 

the multi-photon pulses: even if she attacks every single multi-photon pulse in any manner 
whatsoever and is completely successful in every single case, she gains nothing because we 
will have removed all the associated information. The remaining shared key would be as 
secret as any key generated by a source of pure single particle states. ^^ However, numerical 
analysis based on the complete expression for the effective secrecy capacity derived in this 
paper demonstrates that the achievable throughput rates in this case are unacceptably low. 
Thus the use of i^pyrrhic as a privacy amplification amount serves to defeat Alice and Bob as 
surely as it defeats Eve. We need to try to find a better, not merely sufficient bound that 
will result in acceptable throughput values. 



'^^That is, such a key will be unconditionally secret in the sense of privacy amplification, assuming as one 
must, that privacy amplification would be always required for any practical system employing even solely 
single particle states, as they are subject to the effects of machine-induced errors that must be corrected, for 
which privacy amplification is required to mitigate the effect of possible eavesdropping on the error correction 
protocol. 
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In the remainder of this section, as depicted in the flow chart in Figure |21 we therefore 
construct for the first time the general functions that measure the necessary and sufficient 
amount of privacy amplification subtraction bits required to account for information loss 
associated to the multiple-photon pulses, in addition to which we also construct an explicit 
expression that provides a practical, universal bound that is always at least as large as the 
minimum number or required subtraction bits. 

Splitting the Privacy Amplification Function into Single- and Multi-Photon Parts 

In our analysis we explicitly, additively separate into two pieces the privacy amplification 
associated to single- and multi-photon pulses. The two kinds of cryptanalytic^^ attacks on 
these two kinds of pulses, that necessitate carrying out privacy amplification in the first 
place, are each of a very different character. Attacks on single-photon pulses necessarily 
generate errors, while attacks on multi-photon pulses, when properly performed by the en- 
emy, generate no detectable errors at all. Thus, as we have emphasized in Section 3.1.4 
above, it is natural to mathematically express the privacy amplification subtraction function 
associated to single-photon pulses in units of error bits, as in eq.fl^. while it is clearly 
not physically correct to do so in the case of the privacy amplification subtraction function 
associated to multi-photon pulses. Taking this point further, we note that in our view it 
is neither necessary nor physically meaningful to lump together functionally (as done for 
instance, in |22I) the privacy amplification subtraction amounts for these two very different 
kinds of cryptanalytic attacks. Moreover, the form for the privacy amplification subtraction 
amount associated to single-photon pulses derived in Section 3.1.4 above is appropriate for, 
and allows us to analyze quantitatively, the dynamics of the transmission of actual ciphers 
of finite length, as opposed to merely idealized ciphers of infinite length. Lumping togther 
the privacy amplification contribution for single- and muli-photon pulses into a functional 
form which is only applicable to idealized ciphers of infinite length obscures this possibility. 

Thus, we advocate cleanly additively splitting into two distinct parts the separate contribu- 
tions, which serves both to emphasize the different physical characteristics of the two types 
of attack and allows us to properly analyze the dynamics of ciphers of finite length. 

Three Types of Individual Cryptanalytic Attacks on Multiple Photon Pulses 

In this paper we consider three distinct kinds of attack that can be carried out against 
the multiple-photon pulses in the stream:^^ (1) direct attacks, (2) indirect attacks and (3) 
combined direct and indirect attacks. 



■^^ Strictly speaking, we are not referring to cryptanalytic attacks as such, as this is traditionally defined 
to mean attacks on enciphered data, whereas here we arc discussing attacks designed to determine the key. 

■^■^As noted above in Section 2.2 we again point out that in Part One of this paper we are only considering 
so-called "individual attacks," i.e., those attacks that do not require that the enemy apply unitary transfor- 
mations to the intercepted state with a quantum computing device. We will address quantum computer-based 
attacks in Part Two. 
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We define the direct attacks on multi-photon pulses as attacks in which Eve intercepts the 
stream and attempts to directly determine the polarization of the coherent state by perform- 
ing a suitable measurement. This attack requires a pulse with three or more photons in it. 
The direct attack necessarily destroys the state as received by Eve, but, if she is successful 
in determining the polarization she can attempt to send another state with identical polar- 
ization on to Bob.^'' We refer to the state prepared by the enemy and sent on to Bob as the 
surrogate pulse. If he receives and detects this state it will have arrived just as if it been 
sent by Alice and was untouched by Eve, and in this way the information will be known to 
Eve. There is a quantifiable probability that this attack will be successful, which we discuss 
below. 

We define indirect attacks on multi-photon pulses as attacks in which Eve "splits the beam," 
as a result of which she "keeps and preserves" one or more of the photons in the pulse, without 
measuring their state, and allows the remnant pulse to propagate on to Bob. This attack 
requires a pulse with two or more photons in it. In the indirect attack Eve knows that she 
must not interfere in any way with the remnant pulse that is allowed to continue on to Bob: 
it must arrive at Bob's instrument in the polarization state that it left Alice's system, only 
differing from the original multi-photon pulse sent by Alice in that it contains some smaller 
number of photons than when it left Alice, unbeknownst to Bob. He then measures the state 
of the pulse, and carries out the public discussion phase of the QKD protocol as per usual. 
Eve eavesdrops on the public discussion and learns thereby the particular basis, but not the 
state, of the pulse. Since she has advanced technology at her disposal and has preserved the 
photons that she split off in their original state, she merely measures the polarization in the 
announced basis in order to precisely determine the actual state of polarization. There is a 
quantifiable probability that this attack will be successful which we discuss below. 

Finally, the combined attack occurs when a pulse with five or more photons in it (the reason 
for this requirement on the number of photons is explained below) is intercepted and split up 
by the enemy, allowing both a direct and indirect attack to be performed. This particular 
individual attack appears not to have been discussed previously in the literature of this 
subject. 

In any of these cases Eve will have succeeded in determining the state of polarization of the 
pulse in question, without Alice and Bob noticing that anything has happened: in particular, 
the enemy will have obtained the information without having induced any elevation in the 
error rate. Without an increase in the error rate to indicate that Eve has compromised the 
system, there will be no way for Alice and Bob to know that Eve has the same information on 
those particular bits that they do. Of course, strictly speaking this is not a weakness of ideal 
quantum key distribution, but rather of practical quantum key distribution. However, this is 
a distinction without a difference, as we must concern ourselves with the actual features of a 



■^^So-called "quantum non-demolition" measurements, which have been experimentally demonstrated to be 
able to repeatedly count photons without destroying them, play no role here. To profit from the direct attack 
it is necessary for Eve to determine the state of polarization. In order to measure the state of polarization 
(more precisely, the eigenvalues of the helicity operator) of the photon, it is necessary to select a particular 
basis. 
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realistic implementation in any serious study of this subject. Ideal quantum key distribution 
is actually almost irrelevant here: pure quantum bits propagating along a noiseless quantum 
channel between perfect Alice and Bob instruments comprise a fiction that has very little to 
do with anything that can be implemented in practice. 

We emphasize again that the potential secrecy weakness of practical systems employing 
weak coherent pulses produced by a laser is in general shared by those systems employing 
nonlinear crystals and parametric downconversion as a source of raw bits for Alice. As in 
the case of an attenuated pulsed laser, nonlinear crystals in actual system implementations 
will also sometimes produce multiple photon pulses, which in principle may be exploited by 
an enemy equipped with suitable technology. 

In our analysis of the requisite privacy amplification function associated to multiple-photon 
pulses, we will make use of the results we have obtained for the general case in which 
Bob explicitly monitors for, and eliminates from the sifting process, those bit cells which 
manifestly contain more than one photon. We also consider the special case in which no 
such monitoring of click statistics is carried out. 

We now consider in more detail the three types of attack that can be carried out on the 
multi-photon pulses. 

Direct Attacks 

The logical structure of the analysis carried out in this section is illustrated with the flow 
chart shown in Figure |21 below. 

In the direct attack the enemy intercepts the pulse transmitted by Alice and measures it with 
her apparatus. It becomes increasingly more likely to determine with complete knowledge 
the polarization state of a multi-photon pulse as the number of photons in the pulse increases. 
At the same time, owing to the Poisson distribution that governs the output of the pulsed 
laser used by Alice, and the fact that Alice will in general adjust the flux to be suitably 
weak through the use of appropriate intensity filters, it becomes increasingly less likely to 
encounter a multi-photon pulse as the number of photons in the pulse increases. Thus, there 
is a competition between these two effects, and to ensure the secrecy of the shared cipher it 
is essential to analyze the balance between them to carefully deduce precisely the maximum 
amount of information that may be obtained by Eve in measuring these states. 

An important point, discussed in more detail below, is that the direct attack can only succeed 
if the pulse received by the enemy apparatus contains three or more photons in it. 

To proceed, we note that in j221 it is shown that one may make use of the results of [33] 
to deduce an explicit expression for the maximum probability to unambiguously determine 
the polarization of an incident Fock state comprised of / photons distributed according to a 
Poisson distribution. (Such an incident state includes as a special case in particular a coherent 
state comprised of / photons.) We shall refer to this probability as Ze{^), the maximum 
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probability that Eve may with complete knowledge determine the state of polarization of an 
incoming /-photon pulse. In j22l 122] this was found to be given by 



/ < 2 

ZEil) = { 1 - 2i-'/2 / even 
1_ 2(1-0/2 /odd. 



(56) 



We know that irrespective of the apparatus utilized by Eve, it will be the case that the pulse 
she intercepts from Alice will be characterized by a Poisson distribution,^^ so the appropriate 
average maximum probability, ze (/x), for Eve to be able to determine the polarization state 



^^As mentioned above, we assume that the intrinsic characteristics of the quantum channel are such that 
the Poisson number distribution produced by Ahce is preserved (of course, as we discuss exphcitly below, it 
is entirely possible that the enemy may somehow alter the distribution on its way to being received by Bob). 
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with complete knowledge is 



./^' 



1=0 ''■ 



X (/i, Ze (/) 



/>3 



= l-e-''[V2sinli-^ + 2cosh-^-lJ . (57) 

It is obvious that, insofar as determining the polarization state with complete knowledge is 
concerned, a two-photon pulse is no more useful than a single-photon pulse is: with only 
two photons in the pulse it is not possible to determine the state of polarization, although it 
is possible to determine the polarization basis in this case. However, a direct measurement 
of the pulse that furnishes the identity of the basis necessarily destroys the polarization of 
the two photons, making the pulse unsuitable for a further measurement to determine the 
state. (Moreover, the basis, in any event, would have been publicly revealed to the enemy 
in the discussion between Alice and Bob.) As expected, and as noted in J22], the leading 
order behavior of ze (a*) varies as the cube of the mean photon number, and is specifically 
given (c/eq.(jnZ|)) by ze (/x) = ^//^ + O (/x"^), reflecting the fact that three or more photons 
are required in order to unambiguously determine the state of polarization of the pulse. We 
note that there is no manifest appearance of the efficiency, tje, of Eve's detector apparatus 
in the quantities ze (0 or ze (/i), as we are implicitly assuming that Eve is equipped with 
perfect detection equipment, so that we have implicitly set r]E = ^■ 

The function ze (/i) is "universal," in the sense that it provides an upper bound for all choices 
of apparatus on Eve's probability to determine the polarization of an intercepted multi- 
photon pulse with complete knowledge. With any particular measurement apparatus. Eve 
may typically in practice realize a /ower probability of polarization determination: in |MII3^ 
a particular setup was described which provides Eve with a probability of ^/i^ + O (/x"^). In 
our analysis we will employ the maximal value given in eq. (j^7j) above, to allow for the 
strongest possible enemy attack. 

To proceed in as general a manner as possible, we will formulate the expressions for privacy 
amplification subtraction from first principles in terms of the various underlying probabilities 
associated to the different processes that take place. This is analogous to our deduction of 
the numbers of sifted and transmitted error bits previously carried out in Section 3.1.1. 
There we considered all processes that characterize the propagation of signals in the absence 
of an eavesdropper. An important difference here is that we must explicitly take into account 
the various types of activities that an eavesdropper may conduct. Denoting as before the 
various relevant probabilities by V with appropriate arguments, we have 

V (/ photons leave Alice) = x {f^y ; (^S) 
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V u photons reach Eve / photons leave Ahcej =,, (o^ P ) [^ ~ ^ P ) ' 

(59) 
V (polarization determined with certainty /' photons reach Evej = ze {I') , (60) 

V Ue photons leave Eve in some distribution S) = S (/i^;, Ie) , (61) 



V ( /" photons reach Bob Ie photons leave Eve ) = (,^)(« p ) [1 — a p 




EB ' EB I \ EB ' EB 



(62) 



and 



V (/'" ph 



otons detected 




// //// 



i"~i 



I" photons reach Bob) = 77 (1 — 77) (1 — (5o,«"') . (63) 



Note that, as discussed above, ze{1') in eg. (1^01) embodies the requirement that the pulses 
vulnerable to the direct attack must contain three or more photons, in effect it includes a 
factor of the Heaviside function 6* (/ — 3) in its definition (c/eq.(jHSl))-'^^ 

In eqs. (jKTU) and (jH^ we have introduced the quantities a , p , a and p . The quantities 
a and a are, respectively, the line attenuation amounts along the quantum channel for 
the Alice-Eve and Eve-Bob link segments. Note that the product of the two partial line 
attenuations gives the total line attenuation, a, along the entire quantum channel from Alice 
to Bob (we assume that Eve is between Alice and Bob), so that we have 

a a = a . (64) 

AE EB ^ ' 

The quantities p and p each satisfy the inequalities < p < a^^ and < p < a~^ . 

^ '^ AE i^ EB J -^ — f^AB — AE — ' EB — EB 

These are parameters that measure the degree to which the enemy can somehow "adjust" the 
transparency of the quantum channel so as to increase the amount of information that can be 
obtained on the transmitted bits. Thus, a value of Pae,eb = ^ OiAE,EBPAE,EB = corre- 
sponds to a totally degraded quantum channel, '^'^ a value of Pae,eb = 1 ^ o:ae,ebPae,eb = 
o:ae,eb corresponds to the case when the enemy does not modify the transparency, thus 
leaving the fiducial amount of line attenuation in the channel, and a value of Pae,eb = 
^~AE EB ^ (^AE,EBpAE,EB = 1 corrcspouds to the case in which the enemy has made the 
quantum channel perfectly transparent. 

There are different cases for us to consider. In the case of a fiber-optic implementation 
of QKD, it may be reasonable to analyze the case in which the entire quantum channel is 
surreptitiously replaced by the enemy with an "ideal," lossless cable. In this case, we would 



^^Indeed, one way to proceed in evaluating sums over products of ze {I) with generic ^-dependent quantities 
yi is to write such sums as Y^i ^e (0 Vi == I]fc=i (l - Z^"*") y2fe + Z]fc=i (l ~ 2"'') y2k+i- The impUcit factor 
oi 9 [I — 3) in ze (0 ensures that the indicated ranges of summation over k, in each case beginning with 
fc = 1, are in fact correct as written for both the even and odd terms in the two sums. 

•^^This case constitutes denial of service, since no signals of any kind can propagate through the channel 
when pae,eb = 0, and therefore falls outside the purview of an analysis of eavesdropping attacks. 
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have p = a ^ and p = a ^ after the cable replacement, resulting in the elimination 

'^AE AE ^ EB KB sr 1 o 

of the line attenuation along the cable. In the case of a free space implementation, it is 
unreasonable to imagine that the enemy can replace the channel with one of perfect, or even 
improved, transparency. This is entirely well-motivated physically: in this case a replacement 
of the quantum channel with one of better transmission characteristics amounts to imagining 
that Eve can replace the atmosphere with one that she prefers. Even if this were possible, 
it would presumably not go unnoticed by Alice, Bob and the rest of the population of the 
planet. Note that this effect cannothe mimiced by adjusting the frequency of the photons in 
the reconstructed pulses, as proper "technically sound cryptosystem" operating procedure 
dictates the use of a narrow bandpass wavelength filter in the front of Bob's receiver which 
will physically exclude any such wavelength-modified incoming photons. 

However, in the case of a free space QKD implementation it may nevertheless be possible for 
the enemy to anyhow effect a partial, and sometimes even a complete, effective improvement 
of the transparency of the channel. For instance, we may imagine that the interception 
apparatus of the enemy is secretly located immediately adjacent to the Alice site (we ascribe 
to the enemy superb powers of camouflage and technical skill), ^^ thereby effectively producing 
the value p = a'^E =^ P Oi =1. (Strictly speaking we would presumably actually have 
the condition p ~ a~^ rather than p = a~^ in this case, since Eve is presumed adjacent 

^AE AE ^AE AE ' f J 

to, but not physically coincident with, Alice.) In the case of the direct attack, in which a 
surrogate pulse is sent on to Bob, we may /urt/ier imagine that the physical location of the site 
from which the surrogate pulse is launched is likewise placed immediately adjacent to (and 
somehow undetected by) Bob. This allows the two enemy collaborators to entirely circumvent 
the attenuation of the free space quantum channel by simply communicating instructions 
to each other clasically, which has the effect of causing p = a^^ => p a =1. Note 

■^ ' ^ "^ES EB ' EB EB 

that, in the case of the indirect attack (to be discussed in great detail below), the same 
options are not simultaneously available to the enemy in the case of the free space quantum 
channel. This is because, unlike in the direct attack, it is necessary that the pulse that is 
allowed to travel on to Bob not be modified, and its polarization state remains unknown 
to the enemy. Hence, no "conspirator" can participate in the transmission of the pulse. 
Thus, Eve can be located either immediately adjacent to Alice, in which case we have 
p = a~^ =^ P o. = 1, or Eve can be located immediately adiacent to Bob, in which 

'^ AE AE AE AE ^ J J ^ 

case we have p = a~^ =^ p a =1, (or somewhere in between) but both endpoint 

'^ EB RB '^ EB EB ' ^ ' '■ 

conditions cannot simultaneously be realized: there cannot be a "second Eve" located at the 
other end.'^^ 



^®As discussed below in Sections 4 and 5, we envisage for the free space case an implementation in 
which Alice is located on an orbiting satellite and Bob is located on an aircraft or the ground, so that 
the undetected placement of an eavesdropping interception device immediately adjacent to Alice is almost 
impossible to imagine for any actual, practical situation unless Eve can literally make herself invisible. Again, 
we are assuming that the entire praxis of communications security, in addition to the narrower requirement 
of crypto secrecy, is properly implemented, so that physical access of the enemy to the Alice and Bob devices 
is (1) assumed to be prevented, and (2) in any event is not reasonably within the purview of the QKD 
protocol per se. 

■^^We emphasize that all detailed discussion of entanglement in quantum cryptography, including analysis 
of entanglement-assisted attacks, is performed in Part Two of this paper. We here merely point out that 
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Whether for a free space or fiber optic cable implementation, after imposing the condition 
p = a~^ the expression for the privacy amplification that results will still retain a de- 
pendence on a .In the case of a free space implementation only, one may without loss of 
generality always interpret this residual a -dependence in fact as dependence on the entire 
line attenuation, a, of the quantum channel, since in this case the value of a is due to the 
conditions along the entire propagation path from Eve (who is adjacent to Alice) to Bob. 
However, in the case of a fiber-optic cable system, for which it might be possible for Eve 
to achieve the condition p = a~^ by directly replacing the channel between Alice and 
herself without necessarily having to place an interception device immediately adjacent to 
Alice (although this might also be done), it obviously need not be true in general that the 
residual a -dependence corresponds to the entire line attenuation a. 

Note that we do not introduce a parameter analogous to p or p to describe the degree 
to which the enemy can remotely "control" or adjust the quantum efficiency, 77, of Bob's 
detector device. We are assuming, in accord with the discussion in Section 2.4.2, that proper 
cryptographic procedure and design is followed in the system implementation, so that the 
enemy cannot enforce the condition 77 — >■ 1, nor even cause any non- negligible change in the 
value of rj at all. The only physically reasonable method whereby such remote "control" 
could succeed is through the modification of the wavelength of those photons that propagate 
successfully to Bob's detector. Clearly this cannot work in the case of the indirect attack, 
as its success requires that Eve not prepare the state allowed to continue on to Bob in any 
way. Moreover, even for the direct attack such wavelength modification can, as mentioned 
above, be trivially neutralized in any event by placing a narrow bandpass filter in front of 
Bob's detector apparatus, thereby preventing (with high probability) any photons of modified 
wavelength from entering the device. 

After successfully determining the polarization state of the intercepted pulse, the enemy may 
prepare an identically polarized state in any way that is deemed to be advantageous and send 
the surrogate pulse on to Bob. Although the enemy may send any (properly polarized) pure 
state or mixture to Bob, these states may practically be regarded as mixtures of number 
states^° owing to the facts that (1) Bob is employing a photon number detector, and (2) 
anything else will provide a signature that the eavesdropper has tampered with the signal, 
alerting Alice and Bob who will then discard the bit cell. Therefore, although the distribution 
function S in eq. ()6H) is not necessarily identical to the Poisson distribution, we can without 
loss of generality always take it to be some discrete distribution, H = E{pe,Ie), that is 
characterized for each bit cell by both a mean, pE, and a particular number, Ie, of photons. 
Of course, there need be no particular a priori relation between the number of photons, /', 
in the pulse that Eve intercepted and measured in order to detemine the polarization state. 



inclusion of entanglement-assisted attacks against individual quantum bits in particular, which would allow 
a second Eve adjacent to Bob to effectively eliminate the line attenuation even for the indirect attack (if 
prior entanglement is shared between her and the first Eve located adjacent to Alice), does not change the 
functional form of the final expressions for multi-photon privacy amplification obtained in eas. (|14H l through 
(|151(l below. The only change is that the distinction between optical-fiber and free-space implementations 
is eliminated, with a consequent modification of the associated throughput rates |2()j . 
"'"This has been noted as well in 1221. 
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and the number of photons, Ie, that is sent on by Eve to Bob. 

We may now deduce the exphcit expression for the privacy amphfication subtraction function 
associated to individual direct attacks, which we denote by u^, by assembhng the appropriate 
probabihties from eqs.(fSH|) through (jHSJ- We find 
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(65) 



The general form of this quantity is simple to explain in physical terms: it is the probability 
that the enemy can with certainty determine the polarization of a multi-photon pulse given 
that it has been intercepted, multiplied by the probability that a surrogate pulse in the same 
state of polarization can arrive at and be detected by Bob, measured in a distribution S 
chosen solely by the eavesdropper.^^ 

This expression provides the amount of privacy amplification subtraction required in order 
to compensate for direct attacks on all of the multi-photon pulses that contain three or more 



^^We note in passing that the sum J2i'=o ( /' ) {^aePae) (^ ~ ^aePae) ^^ ('') ^^^ ^^ expHcitly eval- 
uated to a closed form, but as it is not particularly illuminating we have not displayed the result here. 
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photons. It is clearly not the most general expression for the total amount of privacy am- 
plification subtraction required in order to ensure unconditional secrecy, as such a uniform 
attack on all multi-photon pulses with three or more photons is only one possible cryptana- 
lytic strategy that may be employed by the enemy. In general, we also need the expression 
for the amount of privacy amplification required in order to protect against a direct attack 
on any particular multi-photon pulse with I photons in it, which we denote by u^^i. We may 
obtain the relevant quantity by direct inspection of eq. ()65|) . to find 
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where we have introduced the notation ipi (yu) = x (a*; 0- Inspection of the above expression 
reveals the fact that, irrespective of the particular form of S, the magnitude of the privacy 
amplification function associated to direct attacks increases as the quantum efficiency of 
Bob's photon detector increases (recall that the product rja p satisfies the inequality 
rja p < !)• Thus, we have the seemingly paradoxical situation that, due to the special 
nature of the direct attack, more information is potentially at risk to compromise by Eve 
when Bob's detector apparatus is characterized by a better detector efficiency than when 
characterized by a poorer efficiency. 



Now we note that, if p = a , which means either that in some way the enemy has 
arranged that the quantum channel between Alice and herself is free of any attenuation (in 
the case of a fiber-optic cable system), or effectively done the same thing by situating the 
interception apparatus immediately adjacent to Alice (in either a cable- or free space-based 
implementation), the cofactor of ze in the summand of the sum over /' becomes a Kronecker 
delta^^ enforcing /' — »■ /, so that we have (note that the sums over /' and Ie are completely 
functionally independent of each other) 
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■^^Upon specifically setting p^^ = a^^ in the general sum Y.i'=o [i') {^aePaeY (^ ~ '^aePa 
obtain Y!v=o iv) (1)' (1 ^ 1)' ' Vi' = Y!v=o iv) Si,i'yi' = Vi for any /'-dependent quantity yi'. 
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in the case that the enemy has performed a direct attack on all the multi-photon pulses with 
three or more photons (where Ze (/i) is given in eq.()57p). and 



lydJ 



m 



—ipi (/i) Ze (0 J2 - (f^E, Ie) 



1 - 



(1 



ria p 

' EB'EB 



(68) 



in the case of a direct attack on any particular pulse with / photons in it. 



We now confront an important fact about the direct attack. Alice and Bob may never be 
able to learn the detailed functional form of S {^EiIe)-, and certainly will not if we simply 
(conservatively) assume that the enemy is always capable of witholding this information 
from them. Without knowing the explicit form of S (/x^, Ie) chosen by the enemy for the 
preparation of the surrogate pulse to be sent on to Bob, we are to a certain extent limited 
as to what we can predict about the effect of this function on the operating characteristics 
of a practical QKD system. However, we may note that the sum over Ie is a probability 
function, and thus its value is constrained to range between and 1 only. Thus from the 
point of view of Alice and Bob, the worst case, or maximum values possible for either v^ or 
i^d,i are 
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respectively. We note that these worst case results, which have been defined to be indepen- 
dent of a , are clearly also independent of both rj and a (and therefore also independent 
of a a = a). Thus, if the enemy can choose a suitable distribution function S in which 

AE EB ' ' •' T— — 1, 

to prepare the surrogate pulses such that sum over Ie in eq.(|U3j) (or eq.(|Mj)) becomes 
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the enemy can gain full effective control over both the total line attenuation and the quantum 
efficiency of Bob's detector without having to physically tamper with either the quantum 
channel or the detector! In order for her to achieve this, though, it is essential that Bob 
not monitor the click statistics of his detector. If he does monitor click statistics, as we 
discuss below, he can partly prevent Eve from gaining such control: he can prevent her from 
controlling his detector efficiency, but cannot prevent her from gaining control over the line 
attenuation. 

We can do more if we assume a particular form for S (/i^;, Ie)- If as before, we take p = a~^ 
and we further assume that the enemy in particular prepares the surrogate photon states in 
a Poisson distribution, so that we have S = x, we find 
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in the case of a direct attack on all of the multi-photon pulses containing three or more 
photons, and 

—tpi in) Ze (0 ^p>i {vf^Ea^^ p^^ ) , (73) 
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in the case of a direct attack on any particular ^^vXse with / photons in it. This result is easily 
interpreted as the probability that Alice sends a pulse with / photons in it, multiplied by 
the probability that Eve can with complete knowledge determine the state of polarization 
of that pulse, multiplied by the probability that Bob will observe a pulse with one or more 
photons in it, taken from a stream sent by Eve characterized by an effective mean photon 
number per pulse of rjpEOi p 

We now see, quite explicitly in the case of the direct attack based on the use by Eve of 
a Poisson distribution for the surrogate pulses allowed to go on to Bob, that the value of 
the fact that Eve cannot "remotely" control the value of the quantum efficiency, ?7, of Bob's 
detector^^ is completely taken away. In other words, it doesn't matter that Eve can't directly 
control the quantum efficiency of Bob's detector: as long as Bob chooses not to monitor the 
click statistics of his detector (to be discussed below). Eve can effectively mimic control over 
rj. An appropriate tuning by the enemy of the value of the statistical mean flux pE such 
that the product rfpECi p is as large as required to produce a value of il)>i [ripEd p ) 
that is arbitrarily close to unity, can evidently have the effect of achieving the same result of 
maximizing the amount of compromised bit information.^^ By the same token we see that 
Eve does not have to arrange for a collaborator to be located next to Bob: the tuning of Pe 
also results in the effective replacement of a by unity. 



^■^As discussed previously, this is due to the presumed use by Bob of a narrow bandpass wavelength filter 
in front of his apparatus. 

^^Note that Eve docs not need to know in advance the value of -q to achieve this (in general Eve won't 
know the value of rj if Alice and Bob follow proper technically sound cryptosystem practice and withhold 
this from her). If Eve doesn't know the value of rj in advance she can infer the value as follows: During a 
period of the transmission in which she does not carry out any attacks as such, she may perform quantum 
non-demolition photon number measurements from which she can determine the value of the mean photon 
number fi characterizing Alice's source. She can also determine the fraction n/m by listening to the public 
discussion pertaining to this portion of the transmission. Using the relationship n/m = ^ ['0>i ivf^ct) + rd] — 
\'ip>i (f?Ma) ~ "rjiJLa {cfeqs.^ and ^\b\ ) she can then deduce the approximate value of the product rja, from 
which she can then infer the value of rj. Alternatively she can simply reasonably assume that Bob is using 
a detector for which the value of rj is not too small to be useful and adjust ^e accordingly. 
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Thus, to sum up, in the absence of explicit monitoring of click statistics by Bob, whether 
a free space or optical fiber quantum channel is used is immaterial: in either case, with or 
without an enemy collaborator located at another position along the quantum channel, and 
with or without any capability to physically adjust the transparency of the quantum channel 
in any way, and without ascribing to Eve the physically nonsensical ability to "remotely 
control" the quantum efficiency of Bob's detector, in carrying out the direct attack the 
enemy can anyhow entirely "tune away" the values of both a and t] to the values that allow 
for maximal vulnerability of the transmitted multi-photon pulses. This has explicitly been 
proved to be true (cf eq. (|7^ ) in the case that the enemy prepares the surrogate pulse in a 
Poisson distribution, and is probably true for many other distributions that might be chosen 
as well. However, the fact that we have found at least one distribution for which this is 
clearly possible dictates that we must assume that Eve can always choose to achieve this 
maximal, worst-case possibility. Thus, we can replace the expression given in eq. (jHH) with a 
universal maximal privacy amplification amount for the direct attack, for which we no longer 
impose only the condition p = a"^ , but also p = a^^ (which amounts to allowing that 
Eve has completely eliminated the attenuation by effecting the replacement a ^ 1): 
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However, we have assumed thus far that Bob adamantly does not monitor the statistics of 
his detector clicks in the above analysis. As we shall now show, the very strong capabilities 
of the enemy reflected by the above two equations are somewhat reduced if Bob explicitly 
does monitor click statistics. 

Now we examine the more general case in which Bob explicitly monitors the click statis- 
tics and discards those bit cells which manifestly contain more than one photon by having 
produced simultaneous clicks. We do this by following the procedure used in making the 
replacement of eq. (jl5p by eq.(|25|). in which case we flnd (as before, the subscript mcs stands 
for "monitor click statistics") 
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in the case that all multi-photon pulses with three or more photons are subjected to a direct 
attack, and 
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in the case of a direct attack on any particular pulse with / photons in it. 



As in our previous analysis leading to eq. (j67|) . if we again (very conservatively) assume that 
the enemy has the capability of somehow arranging for the removal of any line attenuation 
between the location of Alice and the interception site, so that we have p = a~^ , we find 
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If we now also examine the case in which the enemy in particular prepares the surrogate 
states in a Poisson distribution so that S = x, one obtains 
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Comparison of eqs. ()81|) with ()73p reveals the benefit of incorporating the monitoring of click 
statistics into the QKD protocol. First we rewrite eg. ()73|) as 
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and compare with eq. ()81|) . Looking first at the first terms in each of the square brackets, we 
see that by tuning the mean flux ^e appropriately, the products ^e^ p and rjfiECt P 

EB EB EB EB 

(for the cases of i'd,i,mcs and z/^,;, respectively) can assume values such that the functions 
■^1 [VPeO! p ) and V'l ipEOi p ) reach their maximal, optimal values (from the per- 
spective of the enemy), thereby maximizing the amount of information obtainable by the 
enemy. However, we see that, by employing monitoring of the click statistics, Alice and Bob 
can force the reduction of this maximum amount of vulnerable information on bit encodings 
otherwise available to Eve by an amount rj: this is where significance of the fact that Eve 
cannot "remotely" control the value of t] comes into full force. An analogous reduction in the 
amount of vulnerable information will arise from the remaining terms in the square brackets, 
which will in general depend on the details of the functional form of zb [t], I). 

Indirect Attacks 

The logical structure of the analysis carried out in this section is illustrated with the flow 
chart shown in Figure |3] below. 

As described above, in the indirect attack the enemy receives a multi-photon pulse, "splits 
the beam" and retains one or more photons - unmeasured - in an appropriate quantum 
memory while allowing the remaining photons in the pulse to propagate on to Bob, without 
disturbing them in any way. As always in our analysis, we ascribe to the enemy superior 
technological capabilities, and do not delve into the methods whereby the photon or photons 
retained in quantum memory can actually be so preserved. We also assume as before that 
the enemy possesses perfect photon detection equipment, so that r]E, the intrinsic quantum 
efficiency of Eve's detector apparatus, may be once and for all set equal to unity. 

We proceed to deduce the form of the privacy amplification function appropriate to indirect 
attacks on multi-photon pulses. As before we work from first principles by listing the relevant 
probabilities for the various processes that make up the dynamics, which are given by 

V{1>2 photons leave Ahce) = x {p, I) 9 [1-2) , (83) 
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(85) 
and 

V (r photons detected /" photons reach Bob) = ( , ) V^'" (1 - vY'"^'" (1 - ^o,i"') ■ (§6) 
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In eq.(j8oj) the 6'-function enforces the condition that there must be at least two photons in 
the pulse received by the enemy in order to carry out the indirect attack. In eq. (J85|l u is 
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Figure 4: Flow Chart for Analysis of Indirect Attacks 

the number of photons split off (and preserved in some suitable quantum memory) by the 
enemy, and it satisfies the inequality u < Umax, where Umax is (one less than) the number 
of photons that were contained in the pulse as received by Eve. We refer to the part of the 
pulse that is allowed to propagate on to Bob as the "remnant" pulse. Unlike the case in 
the direct attack, the remnant pulse must not be amplified or prepared in any way by Eve, 
lest she give herself away. In the general implementation scenario in which Bob monitors 
the statistics of the detector clicks, it is not obvious a priori which value for u is optimal for 
the enemy. For instance, if Eve splits off and retains one photon, this allows the maximum 
strength remnant pulse to go on to Bob, which is presumably advantageous in the case of a 
channel with strong attenuation, but in this case there will be some admixture of multiple 
clicks observed and discarded by Bob. Alternatively, if Eve splits off and retains all but one 
of the photons in the pulse, then the single photon in the remnant pulse will defninitely not 
cause a multiple click to occur in Bob's detectors, and thus the factor zb ij], I) will not cause 
Eve to lose some of her advantage, although the received signal will be fully subjected to the 
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effects of line attenuation and Bob's detector inefficiency. This type of puzzle can be resolved 
through the use of numerical methods. In the case of the indirect attack on a multi-photon 
pulse with / photons, there will in general be / — 1 distinct possible values for u that may be 
chosen by the enemy. 



We now deduce the explicit expression for the privacy amplification subtraction function 
associated to indirect attacks, which we denote by z/,- , where the superscript "(u)" indicates 
the number of photons that the enemy chooses to remove from the multi-photon pulse and 
retain untouched in quantum memory. Upon assembling the appropriate probabilities from 
eqs.(jHSI) through (jHBj) we find 
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The physical description of this resuh is straightforward. This quantity is the total amount 
of the information contained in the multi-photon pulses (the first term, ?/;>2, in the double 
square brackets), diminished by a complicated expression that takes into account the effects of 
the imperfect nature of both the quantum channel itself and the quantum efficiency of Bob's 
detector. This form clearly shows that simply subtracting the entire amount of information 
contained in the multi-photon pulses (as has apparently been done in all previous analyses) 
in order to protect against eavesdropping attacks is sufficient, but obviously not necessary 
in the presence of attenuation and/or imperfect detector efficiency in Bob's apparatus. 

The above result provides the amount of privacy amplification subtraction required to com- 
pensate for indirect attacks on all multi-photon pulses. As in the case of the direct attack, 
we also need the expression for the amount of privacy amplification required in order to 
protect against an indirect attack on any j>artzcit/ar multi-photon pulse with I photons in it, 
which we denote by i^ii- Reading off the relevant quantity from the above calculation, we 
have 
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(88) 



These results may be explored in a number of limits. If we specialize the above to the case 
p - --1 
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In the case that we have p = a ^ , we find 
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If we consider the case in which both p = a ^ and p = a ^ , corresponding to the 

^AE AE ^EB eB^ ^ ° 

situation for a fiber-optic cable implementation^^ in which the enemy has somehow replaced 
^^As discussed above, in the case of a free space implementation it is not necessary to analyze the case in 
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the cable with an ideal "lossless" channel, we have 
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We note that, unlike the case for the direct attack, in the indirect attack there is no parameter 
that multiplies rj that is under the control of the enemy that can be used by the enemy to 
"remotely control" or adjust the value of the quantum efficiency of Bob's detector to a value 
that is optimal for Eve, so that the above expression is indeed the worst case (from the 
perspective of Alice and Bob), or maximal value of the amount of privacy amplification 
subtraction that needs to be carried out to ensure a secret shared cipher. 

Note that if we anyway examine the (artificial) limit of perfect detector efficiency, r] -^ 1, 
the quantity ^/l"-'''""^ j^ f,\i[g "more-than-maximal" case (denoted by the superscript ^^max+'^) 
becomes 
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so that, as expected, in the limit of a perfectly lossless channel (so that all of the multi- 
photon pulses reach Eve and that all of the split-off pieces she lets pass go on to reach Bob), 
perfect detector efficiency (ensuring that all of the split-off pulses that reach Bob are in 
fact detected) and complete, indirect attack compromise of all of the multi-photon pulses 
(effected by the sum over all /), there is a corresponding loss to the enemy of all of the 
information contained in those pulses. 

The results in eqs.(jHZ|) through (j^J^ apply to the case in which all multi-photon pulses are 
subjected to indirect cryptanalytic attack. In case of an indirect attack on a particular 
multi-photon pulse with / photons in it, for the situation in which p _ = a"^ , we have 
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(94) 



which the transparency of the quantum channel is modified. At most, in this case we can imagine that either 
p = a~^ (meaning that Eve is physically next to Alice) or p = a~^ (meaning that Eve is physically 
next to Bob), but both conditions together are not possible for Eve to impose. 
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The situation described by eq.(|^ for the case that p = a ^, which arises either if Eve 
is located immediately adjacent to Alice (in the case of a free-space or fiber-optic cable 
implementation) or if Eve has somehow been able to replace the cable between herself and 
Alice with a perfect one, is particularly interesting. We will see that it is always advantageous, 
irrespective of the values of p or p (and, importantly, in the absence of click statistics 
monitoring by Bob), for the enemy to choose the value u = 1, which means that only one 
photon in the multi-photon pulse is split off and retained in quantum memory, with the 
other / — 1 photons allowed to travel on to Bob in the remnant pulse. For example, there 
are two possible values for u in the case of a three-photon pulse: u = 1 and u = 2. We find 
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since 2 — rja p > 1 due to the fact that rja p < 1, and using eq. ()88j) it is easy to 
show that in general one has 

-S > -t'' ' (97) 

and finally we note that this inequality remains true for all allowed values of p , and in 
particular for the case p = a~^ . When both p = a~^ and p = a~^ we have modeled 
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the worst case scenario (from the perspective of Alice and Bob) in which the enemy has 
completely replaced the quantum channel with one of perfect transparency,'^^ so that 



{u) 



"AE- 

"eb'- 



AE 
-1 



|v^K/i)^(^-2)[l-(l-r/)'-" 



= V. 



(u),max 
,1 



(98) 



and we have 
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^^As noted before, this is perhaps reasonable to diseuss in the case of a fiber-optic cable implementation, 
but is not possible in the case of a free-space impementation. Moreover, since we are now analyzing the 
indirect rather than the direct attack, it is not possible for the enemy to circumvent the physical line 
attenuation by employing a collaborator located adjacent to Bob. Accordingly, when predictions derived 



from the use of v, 






based as it is on the absence of any line attenuation whatsoever, are applied to the 



case of a free space implementation, any such results can be safely understood to be overly conservative. 
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in complete generality. Since in the above case we assume that there is no explicit monitoring 
of multiple click statistics, this result is easily explained. The enemy retains only one photon, 
maximizing the number of photons in the remnant pulse and thereby increasing the chance 
that the remnant pulse will be able to propagate through to Bob in spite of the presence of 
some amount of line attenuation. Of course, if Bob is actively monitoring click statistics, the 
enemy faces the risk that a larger number of photons in the remnant pulse will cause the bit 
cell to be identified as carrying a multi-photon pulse and thus be discarded from the sifting 
process. 



As with eq.(j92j), where we studied for the case of the indirect attack on all the multi-photon 
pulses the articifial (and unenforceable by the enemy) but theoretically interesting limit in 
which ?7 — i> 1, we may examine this for the "more-than- maximal" strength indirect attack 
on a particular multi-photon pulse (denoted as before by the superscript "ma2;+"). From 
eq.ijHHl) we have 
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This result means that as before, in the limit of a perfectly lossless channel and perfect 
detector efficiency in Bob's apparatus, as long as the enemy doesn't make the mistake of 
keeping all of the intercepted photons (which corresponds to setting m = /, in which case 
none of the information is compromised since Bob doesn't receive anything, effected by the 
factor 1 — 6i^i = 0), all of the information contained in the /-photon pulse is compromised in 
this artificial and unrealizable more-than-maximal version of the indirect attack. 



The case of pulses with precisely two photons is of considerable importance, since only 
indirect attacks are possible for these. In this case the only allowed value for u is u = 1, and 
we find 
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If we now also set p = a ^ , which as above amounts to assuming that the enemy has 
completely replaced the quantum channel with one of perfect transparency, we see that the 
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worst case (again, from the perspective of Alice and Bob), or maximum value of required 
privacy amplification is 
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Thus, the fact that the enemy cannot remotely control and alter the value of rj is very 
significant, as it implies that the enemy cannot obtain the full information content of the 
two-photon pulses in the transmission. Unlike the case of the direct attack, for which the 
quantity fiE provides the enemy with a parameter (that is beyond the control of Alice and 
Bob) that can "tune" the quantum efficiency of Bob's detector to that value which is optimal 
for Eve, in the indirect attack the enemy can at most obtain a fraction t] of the information 
content of the two-photon pulses. 



We may reconsider the entire analysis of indirect attacks for the case corresponding to explicit 
monitoring of click statistics. Carrying through the algebra for this yields 
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for the case that all the multi-photon pulses are subjected to the indirect attack in the 
presence of click statistics monitoring, and 
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for the case that a particular /-photon pulse is attacked. 

If we assume that p = a~^ we find the considerably simplified forms 
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The logical structure of the analysis carried out in this section is illustrated with the flow 
chart shown in Figure El below. 
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Figure 5: Flow Chart for Analysis of Combined Direct and Indirect Attacks 
Until now we have considered the situation in which, having intercepted a multi-photon pulse 
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containing / photons, the enemy carries out either the direct attack or the indirect attack, 
and we have considered this in the cases that the attacks are performed either on a particular 
pulse or on some number of them (including all of them). However, in addition to carrying 
out a general admixture of purely direct and purely indirect attacks, distributed in some 
way amongst the various multi-photon pulses, it is also possible for the enemy to perform 
what we shall refer to as a combined direct and indirect attack on any given intercepted 
multi-photon pulse, as long as the pulse contains five or more photons. This type of attack 
appears to have never been previously analyzed. The requirement for five or more photons 
arises as follows. To carry out the direct part of the attack, the enemy requires at least 
three photons in order to determine the state of polarization with complete knowledge; to 
carry out the indirect part of the attack, the enemy must split the beam and retain at least 
one (unmeasured) photon in a suitable quantum memory, and allow a remnant pulse of at 
least one (unmeasured) photon to propagate on to Bob. Of course, any given attack on any 
given intercepted multi-photon pulse is either successful in providing the enemy the identity 
of the state or it isn't: the purpose for the enemy in carrying out the combined attack 
would be to try to increase the likelihood that the information extracted on the pulse can 
be increased to a higher value than possible with either a purely direct or purely indirect 
attack. The question is whether or not this occurs. As we will show, in the general case 
the combined attack is not as strong as either a particular purely direct or purely indirect 
attack.^^ The combined attack furnishes, for any given multi-photon pulse, a "continuum 
region" of success outcomes for the enemy connecting the purely direct and purely indirect 
attacks. The analysis is complicated by the competing effects of the quantum efficiency of 
Bob's detector and any residual line attenuation on the quantum channel that the enemy 
has not managed to in some way eliminate. 

There are a variety of ways in which the photon content of a given multi-photon pulse with 
five or more photons in it can be disassembled by the enemy to carry out the combined 
attack. The number of distinct types of combined attack grows rapidly with the number of 
photons in the multi-photon pulses. For example, with a multi-photon pulse that contains 
/ = 5 photons, there is only one possible combined attack. In this case the enemy can split 
off three photons from the pulse to carry out the direct attack and subject the remaining 
two photons to the indirect attack, for which the number of photons in the remnant pulse is 
necessarily unity so that u = 1 photon is retained in quantum memory by the enemy. When 
there are / = 6 photons in the pulse, there are three distinct combined attacks possible: (1) 
the enemy can split off three photons for the direct attack, which leaves three photons for 
the indirect attack, of which -u = 1 is retained in quantum memory with two photons in 
the remnant pulse, or (2) the enemy can split off three photons for the direct attack, which 
leaves three photons for the indirect attack, of which u = 2 are retained in quantum memory 
with one photon in the remnant pulse, or (3) the enemy can split off four photons for the 
direct attack, which leaves two photons for the indirect attack, of which n = 1 is retained in 
quantum memory with one photon in the remnant pulse. 

The analysis of the various possibilities is governed by the fact that, for any given multi- 



^''For completeness it is nevertheless of value to understand the combined attack in detail. 
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Table 1: Set of Distinct Purely Direct, Purely Indirect and Combined Attacks for / = 5. 

photon pulse, the enemy can choose to perform any of the allowed combined attacks, or any 
of the allowed purely direct or indirect attacks. To organize the different possibilities, we 
introduce the following notation to represent the particular way in which a given /-photon 
pulse has been disassembled by the enemy in order to carry out a chosen attack: for an 
/-photon pulse, we designate by (/d, /«)""''*■''""■', subject to the constraint Id + k = /, the 
situation in which /^ of the photons in the pulse are subjected to a direct attack and /j of the 
photons are subjected to an indirect attack, with u photons being intercepted and stored 
in quantum memory by the enemy for the indirect part. This kinematical symbol notation 
is completely general and is very useful in describing any possible attack. For example, 
in the case of a pulse containing / = 8 photons, the symbol (3,5)1+^ means that 3 of the 
photons are subjected to a direct attack, and the remaining 5 photons are subjected to the 
an indirect attack, with Eve choosing to split off and retain 1 of those 5 photons, letting 
the remaining 4 photons go on to Bob. In the event that so many of the photons are taken 
for one kind of attack that there are not enough left to carry out the other kind of attack, 
we place the remaining number inside parentheses: thus, the symbol ((1), 7) 4+^ means that 
7 of the 8 photons in the intercepted pulse are taken by the enemy for the indirect attack 
(here with m = 4 of these retained by Eve and 3 allowed to go on to Bob), which only leaves 
1 additional photon, which is not enough to carry out a direct attack, and so it is placed 
inside parentheses. 

To illustrate the different types of attack that are possible, in Tabled we enumerate in full 
the 12 distinct attacks that are possible to carry out on a multi-photon pulse containing 
/ = 5 photons, and in Table |21 we do the same for the 30 distinct attacks that are possible 
on a multi-photon pulse containing / = 8 photons. 

The entries in each list comprises a continuum of attacks ranging from purely direct to 
purely indirect. In the / = 5 case, of the 12 possibilities there are two distinct, purely 
direct attacks (represented by (5, (0)) and (4, (1)), one combined attack (represented by 
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Table 2: Set of Distinct Purely Direct, Purely Indirect and Combined Attacks for / = 8. 

(3, 2)1+1), g^j^^ ^ total of 9 purely indirect attacks (represented by the ordered pairs in which 
the first element is contained within parentheses). Similarly, in the / = 8 case, of the 30 
possibilities there are two distinct, purely direct attacks (represented by (8, (0)) and (7, (1))), 
ten different combined attacks (represented by the various entries for which neither element 
inside the ordered pair is contained within parentheses), and a total of 18 purely indirect 
attacks (as before, represented by the ordered pairs in which the first element is contained 
within parentheses). As always, it is simple to identify an attack that is optimal from the 
perspective of the enemy. The attack for which the net value of the associated privacy 
amplification function is maximal is the strongest attack, as it requires the largest number 
of bits to be subtracted in order to ensure that the remaining bits shared between Alice and 
Bob will be secret. As we shall see, most of the attacks displayed in the two Tables are not 
optimal from the perspective of the enemy, and are listed here only for completeness. 

In the absence of explicit click statistics monitoring by Bob we may continue to assume 
for the combined attack, just as was shown in eqs. ipUj) and (P7|) for the case of the purely 
indirect attack, that the indirect attack part of a given combined attack is optimal for the 
enemy if the value u = 1 is selected, so that only one photon is retained in quantum memory 
and thus the largest possible number of photons are allowed to go on to Bob in the remnant 
pulse, thereby increasing the likelihood of overcoming whatever line attenutuation may be 
present in the quantum channel. This assumption, which is only demonstrably valid when no 
click monitoring is in effect, considerably reduces the number of distinct types of combined 
attack that need to be considered in our analysis: now, if the intercepted multi-photon pulse 
contains / photons, it is easy to see that there are a total of / — 4 possible distinct combined 
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attacks available to the enemy. More generally, if we restrict consideration of indirect attacks 
to those for which u = 1 there are a total altogether of / — 1 distinct attacks of any kind. 
Thus, in the case of a multi-photon pulse with / = 5 photons, out of the 12 possible attacks, 
we see from Table Q that there is 5 — 4 = 1 combined attack for which n = 1 (in this case 
this is also the only combined attack), and we see that there are 5 — 1 = 4 attacks in general 
in which the indirect part is characterized by n = 1. The reduction in the number of attacks 
that need to be considered is much more dramatic in the case of Z = 8: here we see from 
Table El that, of the 30 attacks that are possible in total, only 8 — 4 = 4 of them are combined 
attacks for which u = 1, and only 8 — 1 = 7 of them include indirect attacks, combined or 
not, for which u = 1. 

It is useful to study this reduced set of attacks for which u = 1, since in this case we know (in 
the absence of click statistics monitoring) that the attack is optimal for the enemy, both due 
to having u = 1 and due to the absence of click statistics monitoring, since the modifying 
the former condition can only have the effect of reducing the strength of the enemy's attack, 
and the same is true if the latter activity is implemented. Thus, the associated amount of 
privacy amplification subtraction is guaranteed to provide sufficient protection against the 
strongest possible cryptanalytic attacks, as Bob is needlessly weakening his protection [i.e., 
Bob is not executing a "technically sound quantum cryptosystem" ) against the enemy by 
not monitoring click statistics. 

Having sketched a taxonomy and thus delineated the "kinematics" of the various types of 
multi-photon attacks we now turn our attention to the "dynamics," i.e. an assessment of 
the relative strengths of the purely direct, purely indirect and combined attacks by making 
use of the closed form expressions for the privacy amplification that we have derived. 

Comparison of Strengths of Direct, Combined and Indirect Attacks 

The logical structure of the analysis carried out in this section is illustrated with the fiow 
chart shown in Figure IHl below. 

The enemy can choose to carry out any admixture of purely direct and purely indirect at- 
tacks, or to carry out simultaneous combinations of the two types, and we must assume that 
the relative proportion chosen for each is unknown to Alice and Bob, who must therefore 
implement sufficient privacy amplification subtraction to protect against the worst case sce- 
nario. By an "admixture of purely direct and purely indirect attacks" we mean that, for 
a given transmission from Alice to Bob that includes some fixed number of multi-photon 
pulses that contain / photons each, the enemy can choose to carry out the purely indirect 
attack on a fraction ji of the Z-photon pulses and subject the remaining fraction of 1 — ji 
of the /-photon pulses in the stream to the purely direct attack (as long as / > 3, since 
otherwise the direct attack cannot succeed). There is no reason that the ji values need to 
be the same for different values of /, and in general we need to consider the case that they 
are not, in order to assess what the strongest enemy attack might be. To understand this it 
is important to compare directly against each other the strengths of the direct and indirect 
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Free Space: y = ttT) 



Category 3: / > 5 

Indirect, Direct, or Combined Attacks 



Figure 6: Flow Chart for Analysis of Comparison of Attack Strengths 



attacks. 



We first note that there are three different categories of multi-photon pulses to consider in 
this analysis, based on the associated value of /: Category 1: / = 2, Category 2: / = 3 and 
/ = 4 and Category 3: / > 5. We address each category in turn. 

• Category 1, / = 2: For two-photon pulses, only indirect attacks are possible. 

We conservatively assume that all two-photon pulses are subjected to indirect attack. 
Thus no comparison of strengths of different types of attacks is necessary or possible: the only 
question to address is the appropriate amount of privacy amplification to apply (necessary 
and sufficient, or sufficient). This is addressed in the following section in which we write 
down the complete expression for multi-photon pulse privacy amplification. 

• Category 2, / = 3 and / = 4: For three- and four-photon pulses, either a direct or an 
indirect attack, but not both, are possible on any given pulse, and thus no combined attack 
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is possible. 

We conservatively assume that all three- and four-photon pulses are subjected to one or 
the other of the two types of attack, denoting the fraction of three-photon pulses subjected 
to indirect attack by js, and the fraction of three-photon pulses subjected to direct attack 
by 1 — J3 (with similar meanings for J4 and 1 — J4, respectively, for the case of four-photon 
pulses) . 

• Category 3, / > 5: For multi-photon pulses with five or more photons direct, indirect or 
combined direct and indirect attacks are possible. 

In the absence of special intelligence information provided through espionage or other means, 
Alice and Bob cannot in general expect to know the values that the enemy will choose for 
the various ji that will be used against pulses from categories 2 and 3, and they will also not 
know which combined attacks, if any, may be carried out against pulses from category 3, so 
that the only way to ensure secrecy is to determine the strength of the worst case attack. For 
this purpose we explicitly compare the closed form expressions for the privacy amplification 
functions deduced above. 

As written above, no comparison of attack strengths is required for Category 1 pulses since 
only indirect attacks are possible. We will proceed by first comparing the strengths of the 
purely direct and purely indirect attacks, which are the only kind possible in Category 2, 
and then show that (as mentioned above) for any given multi-photon pulse it is always the 
case that the strongest possible attack is either a purely direct attack or a purely indirect 
attack and never a combined attack, so that for both Category 2 and Category 3 it suffices 
to consider direct and indirect attacks only. 

In addition to not knowing the values of the ji, as discussed above Alice and Bob will also 
not in general know the identity of the distribution function S chosen by the enemy for the 
preparation of the surrogate pulse in the case of the direct attack. However, we found above 
that if Eve chooses in particular to prepare the surrogate pulse in the Poisson distribution, 
S {i^e^Ie) = X (/^B) ^-b); she can in principle tune the value of ^e such that the entire line 
attenuation and detector inefficiency of Bob's apparatus are effectively eliminated, resulting 
in the strongest possible direct attack, u'^j^, given in eq. (|75|l as 

777 

Since we have explicitly demonstrated that it is possible for the enemy to achieve the maximal 
strength direct attack, we must assume that the maximal strength direct attack will be 
achieved (assuming that the direct attack has been chosen). Of course, as we found in 
eq.(f77|). the strength of this attack can be controlled and reduced by Bob through active 
monitoring of the click statistics, resulting in a leading order diminution fcf eq.(|81|)) of the 
strength of the attack by a factor of 77. We will proceed at first by assuming that Bob does 
not employ click statistics monitoring, which means we will be working with the absolutely 
worst case scenario from the perspective of Alice and Bob, the strongest possible version of 
the direct attack, i.e., the form given by eq. (|lU8|) above. This form equally applies to the 
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cases of a free space or fiber optic cable quantum channel since the difference between them, 
i.e., the fact that it is not possible for the enemy to physically improve the transparency of 
the atmosphere, is effectively eliminated since the enemy can tune the value of fiE to achieve 
the same result. 



Similarly, we found in eq. (j9H|) the form of the maximal strength indirect attack that can be 
carried out on a multi-photon pulse. 
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(109) 



which is the applicable form if the enemy has somehow managed to surreptitiously replace 
the quantum channel with another one of perfect transparency, which is only reasonable to 
suppose is possible (if at all!) in the case of a fiber optic cable implementation. In the case 
of a free space implementation we should instead use eq. ( 
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The interception apparatus of the enemy must of course be located somewhere, and for this 
analysis we will take as this location a position immediately adjacent to the Alice site, which 
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where in the second equation above we have simply set a p = a, since in the case 
of the generic free space system that we are discussing, the residual amount a of line 
attenuation appearing in the first equation above is simply the total line attenuation a, and 
the condition p = 1 is imposed by the physical impossibility of replacing the atmosphere 
with one of improved transmissivity. The difference between eqs. p09p and (llllj) for the 
maximal strength fiber optic cable and free space implementation versions of the indirect 
attack privacy amplification amount is then just the presence of the factor of a that multiplies 

7]. 

Thus, the general, worst case (for Alice and Bob) combination of attacks for multi-photon 
pulses with / = 3 or / = 4 photons is given by 



(u),Tnax , /-, 
JlKl + (1 



■\ max 
Jl) '^dJ 



(112) 



where v, 



{u),max 
i,l 



is understood to be given by eq. p09|) in the case of a fiber-optic cable imple- 
mentation and by eq. ljlllj) in the case of a free space implementation. Of course, the above 
expression denotes the most general possible mix between purely direct and purely indirect 
attacks for any value of / > 3, not just the cases / = 3 and / = 4, but for the latter two values 
this form encompasses all possibilities since no combined attacks are allowed. The question 
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now is: what values of ji will optimize this for the enemy, thereby prescribing for Alice and 
Bob the corresponding amount of needed privacy amplification? 

We consider the situation in which Bob does not actively monitor the click statistics of his 
detector. In this case we found in eq. ()97|) that the maximum strength indirect attack takes 
place when the enemy selects the value u = 1, retaining only one photon from the split 
beam. To be as conservative as possible we utilize this value of u in the following analysis, 
thus ensuring that we are considering worst case results. To measure the relative strengths 
of the two types of maximal attack we examine functions of their differences and ratios. We 
first note that the quantities j^j"^'™''^ and i^^"^ are each proportional to the factor y4'i (/^)- 
We therefore construct the normalized difference function A*""^ between the two maximal 
privacy amplification amounts as 

^{l),max _ ^rnax 
\max i,l d,l ^1 1 Q^ 

= f ^. (/^) ■ ^ ^ 

More generally, we note that with the help of eqs. ()66|) and (jHHj) we can define the universal 
difference function that is always valid (not just for maximal attacks) in the absence of click 
statistics monitoring as 

(m) 

A ^ '^IL^L^ , (114) 

and, if click statistics monitoring is executed, we may write using eqs. ()77p and p05|) 

(n) _ 

Proceeding with the analysis of A'""'^', since y'4'i (/^) > 0, we see that when the condition 
^max > Q ig satisfied the maximal indirect attack is the stronger of the two for the enemy, 
and when A'""^ < the maximal direct attack is superior. Owing to the form of the 
function ze (/) contained within the quantity t'™^'^, we must write the difference function out 
separately for multi-photon pulses with even and odd numbers of photons. Upon defining 
y = rja (satisfying < ?/ < 1) in order to consider both the fiber-optic cable and free space 
implementation cases with the same notation, we have for the even integer case, when I = 2k 
with k >2 (due to the chosen range for k we have not needed to manifestly include either the 
explicit ^-function Q (I — 2) contained in //^y''""^ or the implicit 6'-function ^ (/ — 3) contained 
z™;'^^ as they are both equal to unity) 

^nrax ^ A™"" (fc, Z/) 



= l-il-yy"' -[1-2' 

= 2^-'= -(1-1/)"=-' , (116) 

and for the odd integer case, when I = 2k + 1 with A; > 1 we have (for the same reason as 
above we have not needed to write out the 6'-functions) 
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= l-(l-yf'=-(l-2- 

= 2^'--(l-2/)'^ . (117) 

To determine the boundary separating the regions for which A'"'^^ > and A"^"-^ < we 
can solve the equations 

= Ar^ (k, y) 
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and 



= Ar^(A:,y) (119) 

y=yo 



for k and invert the solutions to obtain 



Ve = Ve (k) 

= 1 - T^ V A; > 2 (120) 

for the even photon number case with / = Ik^ and 

Vo = 1-^ VA;>1 

~ 0.292893 (121) 

for the odd photon number case with I = 2k + 1. In solving the equations to obtain i/g and 
yo all other solutions than the two that are listed here were discarded since they either do 
not yield real values for y^^o or do not satisfy the unitarity constraints < ye,o < 1- We also 
note in particular that y^, is manifestly independent of any specific value of k. 

We note that the solution y^, is a monotonic function^^ of k, with its smallest value given by 

2/e(2) = l-;^, (122) 

and we find that it asymptotically achieves its maximum in the limit 

\uny,{k)U-^- (123) 

We have thus found the answer to the question: "Which is stronger for a given multi-photon 
pulse, the maximal purely direct attack or the maximal purely indirect attack?" The answer 
is completely determined, in all generality, by the value of the quantity rja in the case of 
a free space implementation of quantum cryptography, or by the value of the quantity rj in 
the case of a fiber optic cable implementation (if we wish to be conservative and allow for 
the possibility that the enemy might surreptitiously replace the cable with a "lossless" one). 
Rather than writing expressions first with rja and then again with rj, we will continue to 
employ the symbol y with the appropriate substitution understood for free space or fiber 
optic cable systems. The relative strength of maximal purely direct and maximal purely 
indirect attacks is determined by locating y in one of the following regions: 



^^The function y^ is of course strictly only defined at discrete, integer values of its argument k. 
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• Region 1 - when the condition 

y > 1 - ^ ~ 0.293 (124) 

v2 

is satisfied, it is always true that the indirect attack is stronger than the direct attack for 
multi-photon pulses with any number of photons, 

• Region 2 - when the condition 

y<^-^- 0-206 (125) 

is satisfied, it is always true that the direct attack is stronger than the indirect attack for 
multi-photon pulses with any number of photons, 

• Region 3 - when the condition 
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0.206 < y < 0.293 (127) 

is satisfied, for multi-photons pulses with an odd number I = 2k -\- 1 oi photons it is always 
true that the direct attack is stronger than than the indirect attack, and for multi-photon 
pulses with an even number I = 2k oi photons the particular value of y which separates the 
two cases is determined for a particular value of k by the expression given on the rhs in 

We are able to unambiguously deduce these results since we are directly comparing the 
maximal values of the explicit privacy amplification functions for the two types of attack. 
Recall in particular that, from eq. ()66|) . the largest possible value of Ud^i occurs when, for a 

given value of /i, the coefficient in Ud^i of ^i^i (/i) E«'=o (!/) {ctAEPAEf (1 - aAEPAsf'^ ze (/') 
is as large as it can be, which is unity since that coefficient is itself a probability function. 
The critical value and region 77a ^ 0.293 determine the condition for which the strongest 

^^Note that the special value rja ~ 0.293 was also noted in [22, but there the full significance of this 
number was not inferred (nor was the critical value rja ~ 0.206 discovered at all). There it was concluded 
that as long as the condition 7]a <; 0.293 is satisfied it is not always possible for the direct attack to succeed. 
This result is contained in our result. We have inferred the universal conclusion that if rja <; 0.293 it is 
always the case that some purely indirect attack is stronger than any purely direct attack for any given 
multi-photon pulse where both attacks are possible (i.e., for I > 3). 
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possible purely direct attack is not as strong as some purely indirect attack, and the critical 
value and region rja ^ 0.206 determine the condition for which the strongest possible purely 
indirect attack is not as strong as some purely direct attack. 

These analytical results are illustrated numerically in Figure [7| where we display a graph of 
curves of the maximal difference function A""^^, resolved into the even and odd parts A™"^ 
and A^"^. This is done for Region 1 and Region 2, represented by y values oi y = 0.5 and 
y = 0.1, respectively. 

Comparison of Strengths of Purely Direct and Purely Indirect Attacks 
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Figure 7: Comparison of Strengths of Purely Direct and Purely Indirect Attacks 

The preceding analysis was carried out in order to establish whether, for a given value of /, 
the maximal purely direct or maximal purely indirect is stronger. We have answered this in 
all generality for all multi-photon pulses in Regions 1 and 2, as well as for pulses with an 
odd number of photons in Region 3. To complete the analysis and determine this for the 
case of even values of / in Region 3 where 1 — 1/ \/2 < y < 1 — l/-\/2 we need to introduce 
the quantity 



z/. 
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(l),max 

i,l 
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which measures the relative strength of the two types of attacks. Although we will only need 
this function for the case of even values of /, for completeness we can as above separately 
consider both the cases when / is an even integer and when / is an odd integer (and as before 
we do not display the ^-functions due to the chosen ranges for k): 



a^ 



c^e{k,y) 
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and 

ar^ = ao{k,y) 

= '~^''f' . (130) 

1 _ 2-fe ^ ^ 

We will use o"™""^ in the next section where we assemble the complete expression for multi- 
photon pulse privacy amplification. 

Having performed a direct comparison of the strengths of direct versus indirect attacks, 
which are the only possible attacks for pulses with I = 3 and / = 4 photons, we now consider 
pulses with five or more photons. In this case the full set of attacks include the combined 
as well as purely direct and purely indirect attacks. Inspection of the kinematical symbol 
entries in Tables 1 and 2 reveals that the full set of allowed attacks for any given multi- 
photon pulse fills out a continuum of attack strengths. To see this explicitly, we consider as 
an example the entry for / = 8 displayed in Table 2, and restrict our analysis to the case that 
M = 1 for all indirect attacks (both for purely indirect attacks and the indirect parts of the 
allowed combined attacks), and as before assume that the enemy carries out the maximal 
attack always. To analyze the privacy amplification function for a generic combined attack, 
we need to introduce the additional notation i'c{d),i,ia ^^^ ^(ii)ii- ^^^ fii'st symbol denotes 
the privacy amplification function associated to the direct part of a combined attack (this is 
indicated by the ^^c{d)" in the subscript) on a multi-photon pulse with a total of / photons out 
of which Id photons have been taken by the enemy for the direct attack part. Similarly, the 
second symbol denotes the privacy amplification function associated to the indirect part of 
a combined attack on a multi-photon pulse with a total of / photons out of which U photons 
have been taken by the enemy for the indirect attack part. 

Note that in the cases that Id = I and U, = I the quantities i'c{d),i,i^ and v^l ^ ;, should reduce, 
respectively, to the expressions for Ud,i and z/|" , so that we have 

i^cid),i,i = i^d,i (131) 

and 

'^SIm = -i? • (132) 

The important point to observe is that the constraint I = ld + U must always be satisfied 
in the combined attack, and this means in particular that the photon number arguments of 
different factors that appear in the associated privacy amplification functions will always be 
different from each other in the case of any combined attack, only becoming equal to each 
other in the limit that either Id = I or k = I, in which case the combined attack reduces to 
a purely direct or purely indirect attack. For example, in the case of the direct attack part 
of a generic combined attack on a pulse with / photons, we have (for this example we are 
assuming that the direct attack part of this combined attack is maximal) 
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i^TidW, = ^i^iif^)zEild) , (133) 
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where the subscript for ipi is indeed different than the argument for ze, with an analogous 
sphtting amongst the appropriate arguments between / and /j in the case of the privacy 
amphfication function for the indirect part. 

In the above expression the constraint l^ < I must always be satisfied. With equality 
between l^ and / we now see explicitly that the above expression goes over to the privacy 
amplification function for the purely direct attack on all the photons in a multi-photon pulse 
with / photons: 
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(134) 



Thus, to compare the strengths of any of the direct attack parts of a combined attack on 
a multi-photon pulse with / photons, it suffices to compare the magnitudes of ze {Id) and 
Ze (0 for a.11 Id satisfying l^ < I. Inspection of eq. (j3H|) for ze (/) reveals that one has 



Ze (Id) < Ze il) yid<l (135) 

and therefore 

, ,max ^ , max \J i ^ i fT}(i\ 

^c{d)Ud < ^d,i ^ ld<l ■ (136) 

Thus, for a given value of /, there is no direct attack part of any combined attack that is 
stronger than the purely direct attack carried out on the full set of / photons contained in 
the pulse. A similar argument can easily be made to show the analogous result in the case 
of the relation between the indirect part of any combined attack and the associated purely 
indirect attack. Not surprisingly, as a result it turns out that for any fixed value of /, the 
various allowed combined attacks always are characterized by maximal privacy amplification 
function values {i.e., worst case attack strengths) that are less than those for the maximal 
purely direct and maximal purely indirect attacks, the "endpoint" symbols in lists such as 
in Tables 1 and 2. We can also motivate this result numerically as follows. Going down the 
list of entries in Table 2 from first to last, let us examine four representative attacks denoted 
by the kinematical symbols (8, (0)), (6,2)^+^ (3,5)^+^ and ((0),8)i+^. We see that: 



{l),max 



(8, (0)) corresponds to the single privacy amplification function z/J^^^, 
(6,2)^+^ corresponds to the two privacy amplification functions t'^^fgg and '^c(i)8 2 ' 
(3,5)^"'"^ corresponds to the two privacy amplification functions i^^^fga and J^^d)^'^^ , 
((0),8)^'^^ corresponds to the single privacy amplification function i/^-g "^. 
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In Figures IHl and ini we have plotted for Regions 1 and 2, respectively, the six privacy ampli- 
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Figure 8: Comparison of Strengths of Combined, Purely Direct and Purely Indirect Attacks: 
Region One 

fication functions corresponding to the different attacks identified by the four kinematical 
symbols listed above. The two solid curves in each graph are the privacy amplification func- 
tions for the purely direct and purely indirect attacks, and the four dashed curves in each 
graph correspond to the various combined attacks. Inspection of the curves in the graphs 
reveals that, depending on the value oi y = rja in precisely the way determined by y^ and yo 
given in eqs. p2m) and p2H) . the purely direct or purely indirect attacks are always stronger 
than any of the combined attacks. We are led to conclude that we can therefore bound the 
worst possible effect of any combined attacks on multi-photon pulses with / > 5 photons 
by carrying out the privacy amplification analysis as if only purely direct or purely indirect 
attacks were available to the enemy. Putting this together with the previous analysis for 
the multi-photon pulses with / = 3 and / = 4 photons, we see that for all multi-photon 
pulses with / > 3 photons we can determine the strongest combination of direct and indirect 
attacks in a universal manner by making use of the critical values for rja, for even or odd 
photon number, as determined by eqs. (jl2Uj) and (J12H) . The generic expression for privacy 
amplification, now for all / > 3, is therefore given by 






3i) ^dJ 



(137) 



as in (J112j) above. 
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Comparison of Strengths of Combined, Purely Direct and Purely Indirect Attacks: Region 2 
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Figure 9: Comparison of Strengths of Combined, Purely Direct and Purely Indirect Attacks: 
Region Two 

The Complete Expression for Multi-Photon Pulse Privacy Amplification 

The logical structure of the analysis carried out in this section is illustrated with the flow 
chart shown in Figure ITUl below. 

Here we assemble the complete expression that provides both necessary and sufficient privacy 
amplification to ensure unconditional secrecy (in the sense of the privacy amplification the- 
orem) against attacks on the multi-photon pulse part of the transmission from Alice to Bob. 
We adopt the very conservative assumption that all multi-photon pulses are intercepted and 
subjected to some form of attack. We at first proceed by considering the possible attacks on 
a photon number-by-photon number basis. 

• For two-photon pulses, only indirect attacks are possible. 

We assume that all two photon pulses are subjected to the maximal indirect attack. 

• For three- and four-photon pulses each, either a direct or an indirect attack, but not both, 
are possible. 

We assume that all three- and four-photon pulses are subjected to the maximal version 
of one or the other of the two types of attack, whichever is stronger. 

• For pulses with five or more photons, direct, indirect or combined direct and indirect 
attacks are possible. 
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Figure 10: Flow Chart for Analysis of Complete Expressions for Multi-Photon Pulse Privacy 
Amplification 

In the previous section we showed that, for any fixed number of photons in a multi-photon 
pulse, the strength of the generic combined attack is always less than a particular maximal 
purely direct or maximal purely indirect attack. We therefore proceed by assuming that all 
pulses with five or more photons are subjected to one or the other of the two types of pure 
attack, whichever is stronger, just as for three- and four-photon pulses. 

Putting together our various results, the overall expression for the necessary and sufficient 
amount of privacy amplification i>, in all generality, for the entire multi-photon pulse part of 
the transmission from Alice to Bob is finally given by 



K 



(u) 
i,2 



E {ji-S' + 



ji) i^d,i 



1=3 



(138) 
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where 



^ = y ^/ (/i) 0(1-2) 



1 — ria p 



1 — ria p a p 



AE' AE EB ' EB 



(139) 



and 









1 — ?7a p 

' EB' El 



(140) 



Although this is indeed the most general, necessary and sufficient expression for the privacy 
amplification function i/, its use by Alice and Bob in practical application to actual quantum 
cryptography is problematic at best, and typically this expression cannot in fact be used. 
It provides the formally necessary and sufficient amount of privacy amplification, presuming 
that Alice and Bob have somehow ascertained various facts that are in principle, entirely 
under the control of the enemy, such as the particular distribution S chosen by the enemy 
for the preparation of surrogate pulses, the value of u chosen by the enemy, etc. 

Since such information will in general not be available, the only alternative is to utilize the 
maximal versions of the privacy amplification amounts that we have derived above. This has 
the virtue of ensuring that Alice and Bob will share secret bits irrespective of the attacks 
carried out by the enemy, while at the same time avoiding the situation of the "Pyrrhic 
victory" that results when too many bits are subtracted, as would occur if eq. (j55|) were used 
instead. Thus, we have as the best practical expression for the required amount of privacy 
amplification on multi-photon pulses: 



z/ 



(l),max 






1=1, 



(141) 



The natural way to organize this practical expression for multi-photon pulse privacy ampli- 
fication is in terms of location in ?7Q;-space, rather than in terms of photon numbers, and 
moreover to do so separately for the cases of free space and optical fiber cable implemen- 
tations. An issue of importance, over which Alice and Bob have no control, is how much 
modification, if any, the enemy will impose on the transparency of the quantum channel. 
For both the free space and optical fiber implementations of QC we will ignore the possibil- 
ity that the enemy might be able to, and will decide to, degrade the transmissivity of the 
channel. Thus we do not consider the situation in which Eve causes a reduction in the value 
of a from the fiducial value initially measured by Alice and Bob to some lower value. This 
is because, as our explicit derivations of the various privacy amplification functions show. 
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such a decrease in the value of a leads to a decrease in the number of bits that can be com- 
promised by the enemy, who will presumably not want this outcome to occur, and moreover 
any degradation of channel transparency constitutes an attempt at denial of service rather 
than information compromise in any event. ^° 

Thus we are left with two possibilities: (1) In the case of a free space implementation we 
can assume that the value of the product r^a is given once and for all by the fiducial value 
initially measured by Alice and Bob.^^ They will thus adjust their privacy amplification 
appropriately according to the r/a regions mapped out below. (2) In the case of an optical 
fiber cable implementation, Alice and Bob cannot be confident that the fiducial value of 
a that they believe characterizes the cable will not be increased by the enemy. They must 
therefore compare the value of r/a, based on the fiducial value of a, with the value of 77. If both 
endpoints of this set of values lie within one and only one of the three regions mapped out 
below, then they should simply set a = 1 in the appropriate privacy amplification function. 
Otherwise, the supremum of the privacy amplification functions between the different regions, 
calculated for the two endpoint values, should be used in a practical system implementation. 
In the following list, we will assume for simplicity in the case of the optical fiber cable 
implementations that both endpoints {r\ and r/a) lie within one and only one of the designated 
regions. We then have the following requirements for appropriate privacy amplification 
processing associated to the multi-photon pulses: 



Region 1: r/a > ^ — ^ (i.e., rja ^ 0.293J =^ ji = ^ 
• Free space implementation of quantum cryptography 



1=3 
00 

{l),max j^ v~^ {l),max 

— ^i,2 + Z^ ^i,l 



1=3 



00 

E{l),max 
'^1,1 
1=2 



^"^Strictly speaking, even though a reduction in the value of a reduces the number of bits that may be 
compromised, one should allow for the possibility that, by reducing the value of a and thus reducing the 
value of the product rja, the enemy will drive the attack dynamics from Region 1 to either Region 3 or to 
Region 2 (or drive the attack dynamics from Region 3 to Region 2). Presumably the enemy will attempt to 
degrade the quantum channel surreptitiously, so that if Alice and Bob don't notice this they will not know 
that they should adjust the privacy amplification function accordingly. This might possibly be advantageous 
for the enemy since, in Region 1, the privacy amplification should be optimized for the indirect attack, while 
in Region 2, say, the privacy amplification should be optimized for the direct attack. The outcome will 
depend on whether the specific number of fewer bits that may be compromised by the enemy as a result of 
having reduced the value of a is greater or smaller than the difference between the attack strength of the 
indirect attack evaluated at the original value of a and the attack strength of the direct attack evaluated at 
the reduced value of a. This analysis will be performed elsewhere. 

^^As always, we are presuming that proper, "technically sound cryptosystem" technique is being executed 
by Alice and Bob, and they have thus obtained an accurate initial measurement for the a priori value of a, 
and we also assume that they know very well what the value of r/ is. 
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Optical fiber cable implementation of quantum cryptography 
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Region 2: rja < 1 — ^ (i.e., rja ^ 0.206J ^ ji = 
• Free space implementation of quantum cryptography 
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Optical fiber cable implementation of quantum cryptography 
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Before proceeding to the case of Region 3 we recall that we must now separately consider 
the cases of multi-photon pulses with even and odd numbers of photons. Eq. (jl2H) above 
implies that for all multi-photon pulses with an odd number of photons the strongest attack 
is a maximal purely direct attack in Region 3, and thus in this case Alice and Bob should 
always choose ji = 0. However, in the case of multi-photon pulses with an even number of 
photons it is necessary to determine which of the two maximal attacks is strongest on the 
basis of the solution to eg . (11201) . For this purpose we now make use of the strength ratio 
function o"e {k, y) introduced in eq. (jl29|) to define the appropriate value of j^, for even / only, 
as 

3i = e(ae{k,y)-l) I = 2k , k>2. (146) 

We observe that this form ensures that the value of j^ correctly identifies in Region 3 (actually, 
it could also be used in the other two regions, but it is not needed there) the optimal attack 
for multi-photon pulses with even numbers of photons, yielding ji = 1 when a maximal 
indirect attack is the strongest, and yielding ji = when a maximal direct attack is the 
strongest. This expression can be easily computed for any particular value oi k = 1/2, and 
thus provides a practical method of determining for the multi-photon pulses with an even 
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number of photons in Region 3 what the correct amount of privacy amphfication is. We then 
have: 



Region 3: 1 - -^ < r]a < 1 - 75 (i.e., 0.206 < r]a < 0.293) 
• Free space implementation of quantum cryptography 
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where 
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so that we finally have 
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Optical fiber cable implementation of quantum cryptography 
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It should be pointed out that, as will be shown in Section 4, a practical system implemen- 
tation will typically be characterized by a large amount of line attenuation, corresponding 
to a small numerical value for a. Moreover the quantum efficiencies of available detectors 
are usually smaller than one would desire. Thus realistic system values of rja will typically 
lie well within Region 2 as defined above, so that eqs. p44|) and p45|) will usually be the 
appropriate values for multi-photon pulse privacy amplification. 



Common Sense and the Quantum Cryptographic Conservative Catechism 

As presented in the Introduction, the Quantum Cryptographic Conservative Catechism 
(QCCC) provides a "doctrine of reasonableness" that serves as a guide in analyzing the 
various cryptanalytic attacks that the enemy may perform. Consistent with this, we have 
determined in this section the proper amount of privacy amplification subtraction required 
to ensure that Alice and Bob share bits that are secret, based on the assumption that the 
enemy is essentially only constrained by the laws of physics (modified, though, by point (1) 
in the definition of QCCC in Section 2.5.2). Thus, we have not presumed that the enemy is 
limited by currently perceived difficulties of practical engineering that may indeed constrain 
the possibility of actually carrying out the attacks that we study in this paper. 

Having said that, however, it ought to at least be mentioned in passing that practical en- 
gineering issues are in fact highly constraining today. The attacks that can realistically be 
carried out by the enemy are greatly limited as a result. As one example, in the case of the 
direct attack, it is necessary that the time required for the enemy to perform all physical ma- 
nipulations to intercept the pulse, measure the state of the pulse, prepare a chosen surrogate 
pulse and have the surrogate pulse propagate through whatever distance is required in order 
to reach Bob, be no greater than the bit cell period. If this time constraint is violated then 
Alice and Bob will be able to detect a corresponding error. Related constraints also apply 
in the case of the indirect attack (such as a constraint on the time required to place the 
retained part of the pulse in an appropriate quantum memory). For a high speed quantum 
cryptosystem characterized by a small bit cell period this basic constraint may be so difficult 
to satisfy that the associated attack might as well be forbidden by the laws of physics. 



3.1.6 Continuous Authentication 

As has been stressed several times above, it is important to ensure that the quantum cryp- 
tography system remains protected against possible spoofing for the entire duration of the 
transmission. "Spoofing" occurs when the enemy gains access to the public channel, inter- 
poses herself between the legitimate transmitter and receiver and attempts to misrepresent 
her identity in order to gain information, interfere with the system or both. It must be 
assumed on each and every use of the public channel that the enemy will attempt to carry 
out a spoofing attack, which explains the need for continuous authentication. The detailed 
derivations of the explicit functional forms of the complete continuous authentication cost 
functions are provided in Section 4.4.1 below. Here we anticipate those results and list what 
the cost functions are so that we may incorporate them into the complete expressions for 
the effective secrecy capacity and effective secrecy rate of QKD systems. Although the need 
for initial authentication of the public channel in quantum key distribution has been men- 
tioned by many authors, previous analyses have not included explicit derivations of the exact 
functions that describe the full and precise cost in bits of continuous authentication. 

The complete analytical expression for the cost function for continuous authentication ob- 
tained in Section 4.4.1 is found to be given by 

5 

a = 9EC + Y.^ji9j,Cj{fi)) , (152) 

where we define the important Wegman- Carter function, w {g,Ci), as^^ 

w {gu d) =4:[gi + logs (log2 Ci) ] logs Ci ■ (153) 

The authentication cost function a is the sum of six terms: two of the terms in the sum 
represent the authentication cost associated with the sifting process, and the remaining four 
terms are the cost associated with the error correction process. 

In Sections 4.4.1 and 4.4.2 we explicitly derive the complete distinct costs, in bits, of the 
various communications exchanges required to support the continuous authentication of the 
public channel. We list there that 

ci = 2n (1 + logs "^) 5 (154) 

C2 = 2n , (155) 

C3 = n , (156) 

C4 = gsc (157) 



^^The full and complete expression for the quantity that we denote by w and refer to as the Wegman-Carter 
function, which is of crucial importance in practical quantum cryptography, does not appear to have been 
properly analyzed previously in the context of QC (nor apparently even namedhy any authors). Surprisingly, 
the closed-form function, as such, doesn't appear as a numbered equation in |36| . In fact, it must be obtained 
instead by combining quantities that appear in lines 3 and 17 in the first paragraph of section 3 in |36| . 

82 



and 

C5=9ec, (158) 

and all of the security parameter constants Qi that appear in the summand in eq. ()152|) . which 
includes the quantities qec and qec: are (as explained in Section 4.4.1) taken to be equal to 
30. 

These quantities characterize the amount of communications required to effect continuous 
authentication for the sifting and error correction phases of the QC protocol. We note that 
no communication, and hence no authentication at all, is required to execute the privacy 
amplification phase of the protocol. This may at first appear surprising and appears not 
to have been discussed in detail before in the literature. ^'^ The bit values that must be 
identically shared between Alice and Bob in explicitly carrying out privacy amplification 
consist of a random set to be used to compute the privacy amplification hash function. 
This set can be obtained without any communication at all between Alice and Bob, and as 
indicated above, since there is nothing to be communicated via the public channel, there 
is obviously no need to authenticate that channel for this purpose. The trick is for Alice 
and Bob to exploit the untapped randomness resident in the processes used to execute the 
protocol. During the public sifting discussion Alice and Bob keep a record not only of the 
identities of the compatible bases, but should as well keep a record of the index position 
within the overall bit cell stream of those compatible basis events. They will be able to 
generate, in real time, two random strings of bits, each of length m/2 (modulated by the 
system losses), by first simply recording the index positions, respectively, of the compatible 
and incompatible basis events. Then Alice and Bob may compute the parities of these two 
strings to obtain two completely random bit strings of length m/2 each. Either of these 
two strings (this choice can be made by public agreement between Alice and Bob) can be 
used to compute the privacy amplification hash function, and no information will have been 
communicated between Alice and Bob for this purpose. Although Eve can also perform this 
exercise, since the particlar random sequence generated in this way for use in the privacy 
amplification hash function doesn't exist prior to the sifting discussion, it is of no use at all 
to Eve in deducing any information about the shared key whatsoever. 

As discussed in the next section, we will need to solve an extremization equation in order to 
deduce the optimal values for both the effective secercy capacity S and the effective secrecy 
rate TZ. To solve the optimization equation we need an explicit expression for 2a^^/m, which 
we find is given by 

Z^ = ^^^ . 1 . {3 (^ + 1) + log2 [ (log2 Ci) (log2 C2) (log2 C3) ] }, (159) 

where the q are the costs listed above, in classical bits, of the various communication links 
required for continuous authentication. In the next section we will also consider the effective 



^•^We thank J. Guttman for emphasizing the fact that there need be no communication between Ahce and 
Bob to carry out privacy amphfication. 



83 



secrecy capacity in the limit of an infinitely long cipher, for which purpose we will need to 
use the fact that 

, (160) 



lim — 

m — ^oo ffi 



which is straightforward to verify using the expression for a given in eq. p52j) above. 



3.1.7 The Complete Expressions for the Effective Secerecy Capacity and Rate 

We are now in a position to put together the results we have obtained on the numbers of 
sifted bits, error bits, privacy amplification subtraction bits and continuous authentication 
bits to obtain the complete expressions for the effective secrecy capacity, iS, and the effective 
secrecy rate, 7^, of general, practical QKD systems implementations. For this purpose we 
first introduce the useful function, /, which we define as 



f=l+Q+T 



(161) 



in the case of a QC system implementation in which Alice and Bob identify and discard error 
bits in the sifted string. ^^ The purpose of the function / is as follows. Of the total amount of 
information that must be removed from the sifted string in order to achieve a secret shared 
key, the function / groups together and measures just that portion that is natural to measure 
directly in units of error bits. (This leaves in distinct terms those portions of the information 
that is to be removed that are due to multi-photon pulses, continuous authentication and 
the privacy amplification security parameter.) For instance, in the case of / as defined in 
eq. ()16H) . appropriate to the error correction procedure in which error bits are discarded, the 
first term of unity indicates that the entire fiducial set of error bits are indeed subtracted, 
and the second and third terms of Q and T represent the subtractions for error correction 
information leakage and single-photon pulse measurements, respectively. 

We now collect the results of the above sections for the number of sifted bits, the number of 
error bits, the total amount of privacy amplification and the cost of continuous authentication 
and substitute them into eq.(^ to deduce the form of the complete, effective secrecy capacity 
as 
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(162) 



^^In the case of a QC system implementation in which Ahcc and Bob identify, correct and retain error bits 
in the sifted string, we would instead have f = Q + T. As stated in Section 3.1.1 above, unless explicitly 
otherwise mentioned, in this paper we will adopt the "error discard" approach, with the consequence that 
the various rate predictions based on it will furnish universal lower bounds on achievable throughput rates. 
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where we have defined 

u = 2u/m (163) 

so that the rescaled quantity v is independent of the number of raw bits, m. In the above 
expression for S the argument of the first term in the square brackets, i.e. the argument of 
the function '?/'>i, is equal to rjna as derived and discussed in Section 3.1.1 above. 

The m-dependence in S is important, as it allows us to study the dynamics of actual ciphers 
of finite length in addition to studying properties of abstract ciphers of infinite length. Note 
that in addition to the manifest m-dependence that appears in the term ^''° " , there is also 
m-dependence contained within the function / through its dependence on T fcfeqs. ()I^ and 
dSOl)), but not on Q icfea. ^ '). 

Making use of eq. ()160|) from Section 3.1.6, we see that the expression for the effective secrecy 
capacity in the limit of a cipher of infinite length becomes 
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where 



f^ = l+Q + T^ (165) 

and Too is given in eq. lj^H) . 

The effective secrecy rate is given by 

n = S/T , (166) 

where r is the bit cell period of the QKD system implementation. 

We stress that the various quantities ip>i, f, ^ and a appearing in S depend in a complicated 
way on a large number of parameters. Rather than writing this out in full, we display the 
complete parametric dependence of the effective secrecy capacity and rate with the following 
equations of state: 

S = S{ri, /i, a, re, r^, m, g, e, p, J, x) , (167) 

and 

n = n[r],n,a,rc,rd,m,g,e,pJ,x,T^ . (168) 

Optimization of the Effective Secrecy Capacity and Rate 

The mean photon number per pulse, /i, is the one system parameter that can by assumption 
always be directly controlled and adjusted by Alice. This is accomplished by adding or 
removing neutral density filters, as appropriate, to achieve the desired value of emitted 
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intensity. This desired value should optimize the effective secrecy capacity and rate of the 
system. The optimization equation for determining the optimal value, fiopt, of the mean 
number of photons per pulse is given by 



= S, 



fi=tJ.opt 



which is explicitly written as 



frc) - i^>if,t,rc - -^Td - ly^^ - 



2a, 



m 



A*— Mopt 



The resulting optimal value /iopt satisfies the equation of state 

/iopt = /iopt (??, a, Tc, Td, m, g, e, p, j, x 



(169) 



(170) 



(171) 



The optimal value of the effective secrecy capacity, Sopt, is obtained by evaluating S at /iopt, 
so that we have 



S, 



opt 



5(/i, 



optj 



and the corresponding expression for the optimal effective secrecy rate is given by 

'/v-opt = Sopt/T ■ 



(172) 



(173) 



The optimal effective secrecy capacity and rate, iSopt and T^opt, are the quantities that should 
be used in practice to make predictions about and study the performance characteristics of 
any particular quantum cryptograhy system. 

When the complete explicit expressions for the functions ip>i, V'>i,m' /' /,a" ^,m ^^*^ '^,m ^^^ 
written out in full and substituted into the optimization equation (eq. (jl7()|l ). it becomes 
apparent that numerical methods must be used to obtain an answer for the optimal value of 
yU. The general problem of practical quantum cryptography exhibits such a complicated de- 
pendence on the many parameters that are required to provide a complete system character- 
ization that a full mathematical description evidently does not admit closed form analytical 
solutions for /iopt, except in special limiting cases. 

Effective Secrecy Capacity and Rate with Click Statistics Monitoring 

In the general case for which Bob monitors the click statistics and discards those bit cells that 
manifestly contain multiple photon pulses, the expression for the effective secrecy capacity 
becomes 

_ n - ct - s - gpa - a 



m 



n - fcT -jy-gpa-a 



m 



rjipi + {x2>2) (1 - fmcsr, 



-, Jm.cs \ 

1 7^ rd 



Qpa "r ^mcs 



m 



(174) 
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In the above expression for Smcs, the argument of tpi is equal to /la. The functions fmcs 
and a^ncs are defined in terms of the quantities rimes and ex^mcs in place of the corresponding 
quantities n and ct- For example, fmcs is given explicitly by 

fmcs = (1 + g + T) 



mcs 



1 + Q [x, ^'"''''' ) + T {rimes, eT,mcs, e) , (175) 



n. 



mcs 



(176) 



and a^cs is given by 

5 

amcs = 9 EC + Y^ Wj {gj, Cj (/i)) 
i=i 

The quantity Umcs = '^^mcs/f^ is formed from the appropriate expressions for i'd,i,mcs and 

^iimcsi respectively, given in eqs.(f77j) and (jlOSj) . 

Effective Secrecy and Capacity and Rate in Special Limits 

It is worthwhile to examine this result in the special case that there is no eavesdropping 
activity but for which there is attenuation in the quantum channel and loss at Bob's detector, 
in which circumstance we may define the associated secrecy capacity, S^o enemy If there is no 
eavesdropping activity we have Q = T = (since no information is lost in particular due to 
eavesdropping on either error correction or single-photon pulses), so that we also have / = 1. 
We may set !> = 0, since none of the multi-photon pulses are at risk in this scenario. In the 
absence of an eavesdropper it should also not be necessary to undertake any authentication, 
so that we can impose the condition a = 0. Moreover, in this case we can safely set the 
privacy amplification security parameter, Qpa, equal to zero, so that we finally have 



c 

'-'no enemy 



1 



V'>i(l-r,) + ^rrf] (177) 



Inspection of the above expression reveals the basic physical effects that are responsible for 
the effective bit rate: the factor (1 — Tc) gives the proportion of the bit cells that will reach 
Bob without being subjected to depolarization or other intrinsic channel errors, the factor 
'il}>i gives the probability that a particular laser pulse will contain at least one photon, and in 
the argument oiipyi the factor a gives the proportion of qubit photons that will reach Bob in 
spite of attenuation due to atmospheric losses, the factor r] gives the fraction of photons that 
will actually be detected at Bob's receiving instrument in spite of the intrinsic inefficiency 
of his apparatus, the overall factor of 1/2 gives the fraction of photons lost as a result of 
the statistically independent, random choices of polarization basis made between Alice and 
Bob, and finally the term ^r^ gives the contribution to the effective secrecy capacity due to 
the presence of dark count activity. 

Finite Length versus Infinite Length Ciphers 

It is crucially important to obtain, as we have done, closed form, analytical expressions for 
the effective secrecy capacity and rate that are valid for actual ciphers of finite length, as 
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opposed to expressions that are only valid in the abstract limit of infinitely long ciphers. Why 
is this? One of our principal objectives in this study is to determine how and under what 
conditions we may achieve high data throughput rates for practical quantum cryptograhy 
systems. As we shall discuss in detail in Section 5.2.6, one of the techniques that may be 
used to achieve this objective is to assemble a collection of transmitters and multiplex their 
outputs together in a common transmission stream. However, the totality of computing 
resources (measured by the number of basic computer machine instructions) required to 
actually carry out the QKD protocol furnishes an important practical constraint on any 
quantum cryptography system. As this has never been analyzed before, we work out the 
details in full in this paper in Section 4.4.3 below. We find for the first time a closed form 
expression feq. ()286| ) below) relating the computing resources required for carrying out the 
protocol to the processing block size taken from the transmitted bit stream. With the help of 
this functional relationship, and also making use of the optimal effective secrecy capacity to 
numerically determine the dependence of the throughput rate on any reduction or increase in 
the number of transmitted raw bits assigned to each processing block, it is possible to deduce 
the rate of any proposed multiplexing scheme while satifying the important constraint that 
there are sufficicent computing resources to achieve it. This is not possible to do without 
closed form expressions for the secrecy capacity and rate that are valid for ciphers of finite 
length. With such functions at our disposal, however, we will determine in Section 5.3 below 
what are the highest possible rates than can actually be achieved for practical quantum 
cryptography. 



3.2 An Extended Family of Four-State Quantum Key Distribution 
Protocols 

We saw in the discussion in Section 3.1.1 above that there are a number of choices of schemes 
that may be adopted by Bob and Alice (and fully disclosed to Eve) to effect the monitoring 
of click statistics. As described there, to fully define any such scheme it is necessary to both 
select a particular model that specifies the details of the detector apparatus and to select 
a particular click-monitoring scheme to be used in that model. For each such choice one 
obtains different numerical values for the higher-order terms^^ in the explicit expressions 
for the number of sifted bits, the number of transmitted error bits, the cost of continuous 
authentication and the various privacy amplification subtraction functions. Each of these 
choices will generate different specific numerical results for overall system performance, in 
particular affecting the total integrated cipher throughput rates that can be achieved. Each 
of these may be thought of as an element in an extended family of BB84-like protocols. In 
fact, there are a denumerable infinity of different versions of these click monitoring-based 
schemes, distinguished from each other according to how Bob chooses to distribute any click 
monitoring he carries out amongst the bit cells. He can choose to monitor click statistics for 
the entire transmission, for certain fractions of the transmission, for certain fractions of the 
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These are terms ( c/ eq. (j^El) ) such as (x (a^, -2^>2 {fl^ «i ) = X];^o ^ (a^' ^>2 (^7, a, 



transmission for different amounts of time etc. Altliougli tliese different variations will in the 
general case of the strongest possible attack by Eve be suboptimal from the perspective of 
Alice and Bob compared to simply carrying out the maximum amount of click monitoring, 
i.e., executing the monitoring all of the time, for the entire transmission, and discarding 
all muUiple-click event bit cells, there are situations for which it is preferable for Alice and 
Bob to choose one of the other options. If Alice and Bob happen to have, through whatever 
means, access to privileged information regarding the set of attacks that the enemy can or 
will carry out, it is possible to tailor an appropriate click monitoring scheme specifically 
against that set of attacks - such a specially "tailored" click statistics monitoring scheme 
may result in a greater overall throughput of secret bits. A full anaysis and discussion of 
this sensitive topic is beyond the scope of the present paper, and will be treated elsewhere. 



3.3 Secrecy in the Presence of Weak Coherent Pulses 

The four-state quantum cryptography protocol (the BB84 protocol) in the ideal situation 
- i.e., in the absence of any system noise and with a source of perfect quantum bits - is 
unconditionally secret in the presence of any cryptanalytic attacks by Eve. Our purpose 
here, though, is in considering the case of a realistic system for quantum cryptography. Any 
actual implementation of the BB84 protocol obviously requires the use of actual physical 
hardware: we know that in any actual implementation the real system will be such that the 
the intended communication will be characterized by both transmission losses and errors. It 
is the inevitable presence of the errors, in particular, that absolutely forces us to effectively re- 
define the "pure" BB84 protocol (i.e., generation of the sifted key only) to include sufficient 
error correction and privacy amplification in order to assure that Alice and Bob share a 
secret Vernam cipher at the end of the communication. The privacy amplification functions 
calculated in great detail in the previous section serve the purpose of ensuring that any 
information possibly obtained by Eve through whatever means is removed from the final 
string shared between Alice and Bob. Of course, if Alice and Bob somehow knew with 
certainty that Eve did not exist, or that if she did exist was not present, or if present 
would not eavesdrop now or in the future, it would not be necessary to implement privacy 
amplification, although it would still be necessary to carry out error correction, due to the 
presence of system errors. However, in this unrealistic case - the absence of present or 
future adversaries - it would not be necessary to make use of any cryptography, quantum or 
classical, in the first place. In rea/ circumstances we must assume that Eve might be present, 
either actively attempting to decode our communications, or attempting to intecept, record 
and store them for possible future crypt analysis. In this case, which describes the real world 
of communications in the presence of adversaries, we must implement privacy amplification. 
In other words, as a practical protocol for secret key distribution the "pure" BB84 protocol 
is not complete: in any actual application the noise inherent to the system hardware dictates 
that the protocol actually used must be BB84 supplemented by sufficient error correction 
and privacy amplification. In several extant implementations quantum key distribution has 
been implemented by generating the signal states with an intensity-filtered pulsed laser. As 
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discussed in great detail in the previous section, the output of the laser in this case is in the 
form of weak coherent pulses of laser light: some of the pulses contain no more than a single 
photon, and some of the pulses contain two or more than two photons. The need to carry out 
privacy amplification, however, applies equally for the formal BB84 protocol implemented 
solely with proper quantum bits, which would consist solely of single photon states, or the 
weak coherent pulse implementation, which would include both single and multiple photon 
states. Even if there are no multi-photon pulses at all amongst the signals sent from Alice 
to Bob, the fact that the physical hardware generates errors, combined with the fact that 
Eve may be present, requires privacy amplification. This means that, even if the pure BB84 
protocol involving solely proper single-particle qubits is implemented on a real system, the 
effect of the required execution of privacy amplification dictates that the probability P 
that Eve will be able to know more than one bit of the final shared key sequence is given by 
P < \ri~' ^here gpa is the privacy amplification security parameter (the length in bits of the 
tag for the hash function utilized in effecting the privacy amplification). Precisely the same 
degree of secrecy is realized if the BB84 protocol is implemented with pulsed lasers generating 
weak coherent pulses that include amongst them multi-photon states, as long as sufficient 
additional privacy amplification is performed to account for the maximum amount of Renyi 
information that may have possibly been obtained by Eve as a result of any physically allowed 
attacks on such states. 
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4 Comprehensive Analysis of System Losses and Loads 

In order to apply the expressions for the effective secrecy capacity and rate that we have 
derived to a reahstic system it is essential to supply accurate values for the various parameters 
that characterize the losses and loads which result in a reduction of the throughput of secret 
key material. This must of course include the various quantities that specify the actual losses 
suffered by the signal as it propagates from Alice to Bob, but it is also important to include 
in the analysis those ancillary costs associated to the supporting classical communication 
required to actually carry out the QKD protocol. In addition, it is crucial to estimate 
and include in the analysis the amount of computing power that is required to carry out 
the various operations including error correction, computation of authentication and privacy 
amplification hash functions, real-time data record keeping, etc., that must go on "behind the 
scenes" in order for a practical system to actually work. Such costs can only be determined 
for actual ciphers of finite length, as abstract limits for infinitely long ciphers are inapplicable 
to the practical situation. It is only after complete account is taken of all these effects that 
one can accurately estimate the actual throughput rates and other operating characteristics 
that describe a real QKD system. 

Some Practical System Considerations 

In Section 5 of this paper we consider in detail the practical requirements for achieving QKD 
at a high throughput rate. Looking ahead to that development, in the various sections below 
of this chapter we will illustrate the general analytical results that we obtain for system losses 
by making use of certain system parameter values to calculate sample numerical results. In 
these illustrations we will typically consider a system in which Alice uses a laser that produces 
light at a wavelength of 1550 nanometers (consistent with many modern telecommunications 
and laser communications systems). Moreover for the case in which a free space quantum 
channel is utilized, such as for QKD between a satellite and a ground station, we in general 
assume a QKD configuration in which Alice is elevated and Bob is on the ground (or possibly 
in an aircraft). As we will see, a consequence of the various system losses for a QKD system 
operating through the atmosphere is that it is advantageous in optimizing the throughput 
rate to increase the size of Bob's receiving instrument aperture compared to Alice's, and it 
is easier and less expensive to do that by placing the Bob system on the ground (or in an 
airplane) and the Alice system on the satellite. In these cases we will principally consider 
numerical examples for two different satellite altitudes: a low earth orbit (LEO) satellite 
located at 300 kilometers altitude, and a geosynchronous (GEO) satellite located at 35783 
kilometers (22236 miles) altitude. 

We now turn to an analysis of all of the above issues. 
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4.1 System Losses: The Line Attenuation - Free Space 

The line attenuation, a, is defined to include the loss suffered by the signal due to four distinct 
causes: (1) the diffraction loss, i.e., the geometrical vacuum beam spreading loss, (2) the 
static atmospheric losses, due to atmospheric scattering and absorption, (3) the turbulent 
atmospheric losses, due to several causes as enumerated in Section 14.1.31 below, and (4) 
the "optics package" losses due to the imperfect nature of the various components present 
in the system. Note that the line attenuation a is not the "total" attentuation suffered by 
the qubit signal. Specifically not included in the definition of the line attenuation are: the 
loss, rj, associated with photon detector efficiency, the intrinsic quantum channel loss, r^ the 
basic, 50% sifting loss due to the definition of the BB84 protocol, the dark count loss, r^, 
associated to the photon detector, and the loss associated with the use of weak laser pulses, 
described by the probabilistic distributions ipi (//), ip>i, etc., in the effective secrecy capacity 



4.1.1 Diffraction Vacuum Beam Spreading Losses 

The use of finite optics dictates that the beam generated at Alice and transmitted to Bob will 
become a spread beam due to diffraction. The radius, pd, of the purely diffraction-limited 
spot size of the beam incident upon a flat receiving plane at the location of Bob's apparatus 
is found from a straightforward calculation to be given by 



pd 



4L^ /D^^'^'^' 



{kDAf 



(178) 



where L is the path length over which the signal propagates. Da is the diameter of the 
aperture of Alice's transmitting instrument and k is the wavenumber of the photons in the 
beam. The calculation of loss associated with this spreading of the beam will be deferred 
to allow for the inclusion of the additional beam spreading loss caused by atmospheric 
turbulence as deduced in Section 14.1.31 below. 



4.1.2 Static Atmospheric Losses 

Even in the absence of any turbulent motions at all, the atmosphere will induce a variety 
of scatterings and absorptions of the pulses in the beam, leading to a reduction in the 
received signal intensity at Bob. We have made use of the FASCODE ("Fast Atmospheric 
Signature Code") jHZl EHl IHO] computer code developed by the U.S. Air Force Research 
Laboratory to numerically compute typical examples of such losses in a wide variety of 
operating environmental conditions. In our analysis many computations were carried out for 

^^Our line attenuation, a, is defined to be equal (in linear units) to unity when there is no signal loss, and 
equal to zero when there is complete loss of signal. This is often referred to as the transmittance. 
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a wide range of boundary conditions. As a representative example some of our computations 
were done with the following assumptions input to the code: (1) 1550 nanometer wavelength 
light, using the high-resolution version of FASCODE, (2) 45 degrees slant angle (the slant 
angle is defined to be equal to 90 degrees at zenith), (3) inputted geographic coordinates 
for Hanscom Air Force Base, Massachusetts, (4) minor sunspot actvity, (5) azimuth angle 
equal to degrees {i.e., looking northward), (6) clear conditions (this defined as yielding 23 
kilometers visibility), ^^ (7) no significant recent weather or volcanic activity, (8) date and 
time for computer run: 21 March, 2000, noon. 

We will denote the losses defined by the output of FASCODE runs by 

-^static atmospheric = 10 " log^Q (normalized FASCODE signal output) , (179) 

and incorporate this in Section 4.1.5 below in a complete account of the total free space line 
attenuation. 

A summary of the physical meaning of these numerical computations follows: 

• The typical attenuation obtained for a path length of 300 kilometers, representing the 
distance from mean sea level (MSL) to a low-earth-orbit (LEO) satellite, in the direction of 
propagation from satellite to ground against clear weather conditions for 1550 nanometer 
laser light indicates a static atmospheric attenuation of order —1 dB.^*^ 

• The static atmospheric attenuation effectively disappears when the two ends of the link 
are located at elevations of 10 kilometers and 300 kilometers, respectively. 

• Rain, and even light drizzle, will severely attenuate the beam to the extent that in many 
cases useful signal cannot be transmitted at all. 

The results of typical FASCODE computer runs are illustrated in Figure ^2 with a set of 
numerical curves that depict characteristic static atmospheric losses. For the computations 
in this example we have assumed that clear weather conditions obtain, defined as above to 
yield 23 kilometers visibility. In this graph we display curves of the atmospheric transmission 
as a function of the declination angle with respect to zenith, with degrees corresponding 
to the zenith position. Inspection of the curves reveals the expected functional dependence, 
with the static atmospheric transmission loss increasing as the declination angle increases 
from degrees to 50 degrees. 

(The computer analysis was specifically carried out using the Air Force Research Laboratory's 
PLEXUS system jlU]; which provides an interface to FASCODE.) 



^''This is only representative, as FASCODE computations were carried out for a variety of less favorable 
weather conditions, as reflected in the analysis presented in Section 5.3.2 of this paper. 

^^In this paper we adopt the convention of denoting attenuation values (when measured in decibels) as 
negative quantities. 
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Transmittance ^^ersus Wavelength and Declination Angle 
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Figure 11: Sample FASCODE Results for Static Atmospheric Attenuation 
4.1.3 Turbulent Atmospheric Losses 

Atmospheric turbulence will potentially induce a variety of signal losses in the propagating 
beam. These are: (1) turbulence-induced beam spreading (this is beam spreading in addition 
to that beam spreading due to purely geometrical diffraction effects), (2) turbulence- induced 
beam wander, (3) turbulence-induced coherence loss, (4) turbulence-induced scintillation, 
and (5) turbulence- induced pulse distortion and/or broadening. (Another well-known type 
of turbulence-related loss, thermal blooming, is not relevant here as the filled bit cells in the 
beam comprise principally a sequence of single photons which can only heat the atmosphere 
to a negligible degree.) 

In analyzing turbulence-induced losses, it is necessary to adopt a particular model for the 
refractive index structure function C^ in order to characterize the turbulent motions in the 
atmosphere. In our analysis we have made use of two standard models of atmospheric 
turbulence, the Hufnagel- Valley 5/7 model HU |121 ESI and the CLEAR I model 
The dependence on altitude of C^ in the former model is illustrated in Figure | 

We now consider in turn each of the five types of turbulence-associated losses enumerated 
above. 
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Cn Profile Calculated from the Hufnagel- Valley 5/7 Model 
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Figure 12: The Hufnagel- Valley 5/7 Model for Atmospheric Turbulence 

Turbulence-Induced Beam Spreading 

From standard results in turbulence theory ^f\ HHl the transverse coherence length is given 
by 



Po 



1.46A;2 sec ^ f dr]Cl (r/) (l - j) 



5/3 



-3/5 



(180) 



where k is the wavenumber, L is the path length over which the signal propagates, (f is 
the declination angle with respect to the zenith direction and C^ is the refractive index 
structure function. The (mean squared value of the) "short-time beam spread radius" due 
to both turbulence and vacuum geometrical effects is given by 



(pD = pI + 
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where D^ is the diameter of the aperture of Alice's transmitting instrument and 



Pd 



AL' 



{kD, 
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(182) 



is the vacuum beam spread radius presented in Section [4. 1. II above. ^^ Then the associated 

^^ The expressions used in ea. (|181|l for (p^) and in ea. (|184() below for (p^) are valid 07] in the region of the 
system parameter space characterized by the inequalities pa << Da < Lq and L ^ kX^, where Lq furnishes 
a measure of the largest distances over which fluctuations in the index of refraction are correlated (typically 
Lo ~ 100 m), X is the smaller of Da and po, and L is the signal path length. In the cases considered here 
it is straightforward to show numerically that both inequalities are satisifed. 
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loss, i.e. the total beam spread loss due to both turbulence and vacuum geometrical effects, 
is given by 

■^beam spread = -^beam spread (^5 f, L, Da, D b) = 10 ■ logj^Q I , ^. 1 , (183) 

where Db is the diameter of Bob's receiving instrument. The above expression is defined 
to give a negative value {i.e., indicate a loss) when the area of Bob's receiving instrument 
is less than the effective area of the turbulence- and diffraction-limited spot of the fully 
spread laser beam. (In this approach it is assumed that there is uniform illumination across 
the turbulence- and diffraction-limited received spot. This is acceptable because a different 
situation in which, say, there is a Gaussian pattern, will generate less loss, so that we are at 
worst overestimating the loss in this case.) 

As a particular example, we assume that the diameter of the aperture of Alice's transmitting 
instrument is Da = 30 cm for laser light at 1550 nanometers wavelength. The largest amount 
of diffraction- and turbulence-induced beam spread loss will be realized in systems with 
receiving apertures that are too small. We consider two cases: (1) Alice is on a LEO satellite 
orbiting at 300 kilometers altitude above Bob who is at mean sea level. If the diameter 
of Bob's receiving instrument is Db = 30 cm, the total beam spread loss is —17.3237 dB 
with Alice located at zenith above Bob, and increases to —19.0205 dB with Alice at a slant 
angle of 45 degrees. If the diameter of Bob's receiving instrument is increased to Db = 1 ni, 
these losses are reduced to —6.86612 dB and —8.56288 dB, respectively. (2) Alice is on a 
GEO satellite orbiting at 22236 miles altitude and Bob is assumed to be located either on a 
mountain at high altitude, or on an aircraft, in either case such that most of the turbulent 
effects are effectively very small. In this case the signal loss due to beam spreading can be 
determined from the effects of diffraction: if Db = 1 m and Bob is on a mountain at an 
altitude of 13500 feet (such as at the Mauna Kea Observatory location) the loss is —41.4144 
dB; if Bob is on an airplane at 35000 feet altitude the loss is —41.4128 dB. If Db = 10 m, 
which is the size of the effective aperture of the Keck Telescope on Mauna Kea, these losses 
decrease to -21.4144 dB and -21.4128 dB, respectively. 

Turbulence- Induced Beam Wander 

The presence of atmospheric turbulence will cause the beam to appear to "wander" around 
a bit on its passage through the space between Alice and Bob. The mean squared value of 
the radius of this beam wander region is given by turbulence theory |¥7l EH] as 

Existing engineered devices that apply active closed-loop feedback control between Alice and 
Bob are available to generate in excess of 30 dB rejection of turbulence-induced beam wander 
|49j . These systems employ fast steering mirrors that scan the incoming tracking beam to 
correct for lower frequency wander (< 100 Hz). 
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The explicit loss in signal associated specifically with turbulence-induced beam wander is 
given by 

f Dl \ 

^beam wander = '^beam wander {k, ^, L, Da, Db) = 10 ■ log;^o I ai 2\ ) ' i^^^) 

As a particular example, we again assume that the diameter of the aperture of Alice's 
transmitting instrument is D^ = 30 cm for laser light at 1550 nanometers wavelength. As 
with the loss due to beam spreading, the largest amount of turbulence-induced beam wander 
loss will be realized in systems with receiving apertures that are too small. We again consider 
two cases: (1) Alice is on a LEO satellite orbiting at 300 kilometers altitude. Even if the 
diameter of Bob's receiving instrument is as small as Db = 30 cm, the same size as for Alice, 
the beam wander loss is —16.4917 dB with Alice located at zenith above Bob, and increases 
to —17.9969 dB with Alice at a slant angle of 45 degrees. (2) Alice is on a GEO satellite 
orbiting at 22236 miles altitude. As long as Db > 2.11 meter the beam wander loss is no 
worse than —30 dB if the slant angle is not taken into account: this is appropriate in the case 
of the earth-GEO satellite link, as it is assumed that the receiving platform will be located 
either on an aircraft or a mountain (such as the Mauna Kea Observatory location) in order 
to minimize atmospheric effects in general. 

Thus, we can arrange that the total signal loss associated with turbulence-induced beam 
wander can be suppressed to a level less than a magnitude of 30 dB in the cases of interest, 
for which purpose there are engineering solutions available to completely mitigate this loss. 

Therefore, it is possible to construct a QKD system in which beam wander loss is effectively 
eliminated for both LEO and GEO satellite links. 

Turbulence- Induced Coherence Loss 

In this section we consider two types of coherence loss that will affect the state of the pulse as 
it arrives at Bob's detector. In principle, these coherence losses could affect the probability 
that photons arriving at the Bob's apparatus will be detected, thus reducing the rate at 
which secret bits can be produced. We will show that, if the effective cross section of the 
detector is sufficiently large, these effects do not reduce the count rate of Bob's apparatus. 

The first effect is due to the loss of spatial coherence. Consider first what happens when a 
classical optical signal impinges on a telescope [20] • If the lateral coherence length of the 
signal is less than the diameter of the receiving optics, the intensity pattern at the focus 
becomes spread out over a larger area. This is due to a diffraction effect in which the 
effective aperture is given by the coherence length of the signal rather than the diameter 
of the telescope objective. In applying this to the case of a weak pulse containing small 
numbers of photons, we note that the classical intensity corresponds to the probability of 
measuring a photon in a given region. As long as the detector is designed to capture any 
signal that appears in the diffraction disk, it can be expected to collect individual photons 
that propagate through the same optical device. Provided this condition is met, there is no 
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loss of photon counts due to loss of spatial coherence in the incoming pulse, and we then 
have 

•'-spatial coherence U . (^ioDj 

The second effect is the decoherence of the quantum mechanical phases associated with the 
initial coherent state sent by Alice. The initial state is described by a coherent superposition 
of photon number states: 

i<^) = f:\/^e^'i^)' (187) 

fc=0 ' '^• 
where is the semi-classical phase of the coherent state. Note that we idealized the pulse 
as a pure monochromatic state, and that we have suppressed polarization and wavevector 
indices. The actual physical pulse will be a superposition of such states summed over a 
region of wavevectors to produce a wave packet that is localized in space and time. This 
linear superposition is irrelevant to our argument, as we will only be concerned with the 
relative phases of the terms appearing in the monochromatic coherent state. The density 
matrix corresponding to this state is 



picok)^ E e""\/^e^"^'l^)(^l > (188) 

where we define the phase factor 

(/.,, = (k-l)(l). (189) 

Since the phases for the on-diagonal elements are identically zero, this can be rewritten as 



+ t^-''^^^^^''''\k){l\- (190) 

The density matrix for the incoherent state is obtained by averaging over the phases (pki- 
The resulting density matrix is 

oo k 

fc=0 ^- 



oo 



+ Ee-^V^^^(e^^-)|A:)(/|. (191) 

We now use these expressions to find the response of the detector in the coherent and 
incoherent cases. An idealized detector is a device which produces a count if it measures in 
state \k) for k>l. This measurement corresponds to the projection operator 

oo 

M = j:\k){k\ 
fc=l 

= 1-|0)(0|, (192) 
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so that the expectation value of the measurement on a mixed state characterized by the 
density matrix p is 

{M) = Tr{pM) 

= 1-poo. (193) 

But from equations ()19()|1 and (jlfjlj) . we see that 
and 

{M)(^coh) = {M)(incoh) , (195) 

so that the result of the measurement is independent of whether or not the quantum me- 
chanical phases have lost coherence on their way from Alice to Bob, and we thus have 

■'-quantuirL coherence U • (^iyoj 

It is clear from the discussion that this insensitivity to the coherence properties of the received 
signal is due to two factors. First, the loss of quantum coherence only affects the off-diagonal 
terms in the density matrix, and, second, the response of the detector is dependent only on 
the diagonal terms. This property of the detector is due to the fact that it is essentially 
a photon counting device, which performs measurements that projects the measured states 
onto a set of states described in terms of the photon number basis. Our conclusions apply 
to any detector that can be so described, including the imperfect (77 < 1) detectors of a real 
implementation. 

Turbulence- Induced Scintillation 

Atmospheric turbulence will cause the received value of the signal intensity / to fluctuate 
about its average value. This will manifest itself as a distinct scintillation of the laser beam. 
We will calculate the magnitude of the scintillation in the weak turbulence regime, for which 
the Rytov approximation holds. (There is little point in QKD applications in considering the 
regime of stronger turbulence as we would not expect sufficient signal to survive the transit 
to even a LEO satellite in this case.) 

The magnitude of the normalized variance of the signal intensity that is responsible for the 
intensity scintillations is given by jl?! HHl 



2 {ii-{i)r) 

(/)2 "^>^' 



where 



al = 0.56A;^/^ / dzC": (z) /Z*^ , (198) 

^ JO 

so that we have for the associated loss 

Scintillation = -^scintillation {k, L) = 10 ■ logj^Q ( 1 — \J(7j j . (199) 
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The Rytov approximation appropriate for the regime of weak turbulence is specified by the 
inequahty 

aj < 0.3. (200) 

As a numerical example, if we assume that Alice transmits laser pulses at a wavelength 
of 1550 nanometers and we employ the Hufnagel- Valley 5/7 model for the refractive index 
structure function we obtain a^ = 0.0158, corresponding to aj ^ 0.06305, which indicates 
that we are well within the regime of validity for the Rytov theory. This implies a signal loss 
due to intensity scintillations of —1.26 dB. Note that, due to the rapid decay with increasing 
altitude of the Hufnagel- Valley 5/7 model, this result holds almost identically for the cases 
of Alice located on a LEO satellite and on a GEO satellite. 

Turbulence- Induced Pulse Distortion and/or Broadening 

For pulses of sufficiently short duration the consequences of atmospheric turbulence can 
include inducing distortion and/or broadening of the shape of the pulses through the gener- 
ation of dispersion. In order to mitigate this problem we would like to find the conditions 
that ensure that the spectrum of a short pulse in a turbulent medium be equal to that of the 
same pulse when it was incident upon and entered the medium. These conditions have been 
worked out by Fante and consist of the two inequalities (eq.(106) and eq.(107) in [T7j): 

^^^ « 1 (201) 

do 

and 

0.39n^ClLl/^L , , 
^-^ « 1. 202 

Here c is the speed of light, fi is the bandwidth of the pulse, L is the path length and L^ 
and lo are, respectively, the outer and inner scale sizes of typical turbulent eddies: L^ (as 
mentioned in footnote EH above) furnishes a measure of the largest distances over which 
fluctuations in the index of refraction are correlated, and lo is a measure of the smallest 
correlation distances. 

The above inequalities can be numerically solved and inspection of the plotted results allows 
one to identify parameter regions where pulse distortion and/or broadening do occur and 
where they do not. We have plotted in Figure El below a numerical solution for the case 
when the laser pulses are at a frequency of 1550 nanometers, and we have taken typical 
values |17j of L^ = 100 m and lo = 0.001 m, making use of the Hufnagel- Valley 5/7 model 
for the refractive index structure function. We see that when Alice is orbiting on a LEO 
satellite at 300 kilometers altitude, in order to avoid incurring any pulse distortion and/or 
broadening loss, the width of the pulse must be greater than 19.8 picoseconds, corresponding 
to a laser pulse repetition frequency (PRE) of no greater than about 50 GHz.^" This means 

^°Note that the bit cell period, r, which is by definition equal to the reciprocal of the PRF of the laser, 
is in general larger than the width of the pulse. The calculation of a lower bound on the pulse width thus 
enables us to deduce an upper bound on the value of the PRF. 
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Region of Turbulence -Induced Dispersion Loss 
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Figure 13: Pulse Distortion and/or Broadening Graph 

that, ignoring for the moment all other concerns regarding operating a QKD system at a 
basic clock rate of 50 GHz (such as photon detection, real-time data recording, etc.), it is 
preferable to utilize lasers with PRFs of less than 50 GHz for an Earth-LEO satellite link, 
and even slower laser pulse rates for links to higher altitude satellites. When these conditions 
are met we have for the associated loss 



•'-pulse distortion/broadening U • 

These are not necessarily rigid constraints on system design, however. 



(203) 



In the case of an 

Earth-LEO satellite link, for example, the use of a laser with a larger FRF than 50 GHz 
might be acceptable: the effect of the addition to the line attenuation, and the corresponding 
decrease in system throughput caused by the resulting noise would need to balanced against 
the increase in throughput caused by the shorter bit cell period. Such an analysis would be 
a fruitful area for future numerical research. 

In Section 5 below we will discuss the design of a practical high speed QKD system in 
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which a laser with a PRF of 10 GHz is employed, corresponding to a bit cell period of 100 
picoseconds. In Figure ^1 we have indicated the two limits on the pulse width provided by 
the 100 picosecond and 19.8 picosecond points, respectively. 



4.1.4 Optics Package Losses 

The optics package losses can be estimated by comparing a proposed system design for the 
Alice and Bob apparatuses with demonstrated optical communications systems of compa- 
rable complexity. This complexity is assessed in terms of approximately equal numbers of 
system components of corresponding quality and characterstics appropriate for a QKD sys- 
tem setup. In Figure ^M below we compare the demonstrated losses for a variety of laser 
communications terminals as reported in the literature. ^^ 

Based on this analysis of extant systems of comparable complexity, it is reasonable to take 
a value of -5 dB for the expected optics package loss associated to the QC system proposed 
in Section 5 below. We will employ this value of loss for the optics package in computing 
the total line attenuation for a free space implementation. 

"Behind-the-Telescope Loss" 

We briefly mention here the loss that may arise between the "back" of Bob's telescope and 
front of his detector apparatus, deferring to Section 5.2.1 below a more detailed discussion. 
We have already calculated and discussed the beam spreading loss associated to the passage 
of the laser beam from Alice to Bob. The consequence of this effect is that the laser "spot" 
that is incident upon the front of Bob's telescope is larger than we would like it to be - this 
is a problem of received beam size. There is another beam size problem that can develop 
behind Bob's telescope, if the received beam incident upon the surface of Bob's photon 
detection apparatus is too large. We propose in Section 5.2.1 below a method of mitigating 
such loss for the novel type of fast photon detector that is a central and unique feature of 
the high-speed QKD system we decribe. It is important, in general, to take careful account 
of this source of loss, as it can be a very important contribution to the overall optics package 
loss unless successfully mitigated. 



4.1.5 Complete Line Attenuation Losses - Free Space 

We collect here the results of the above sections to display the total line attenuation- 
associated losses on the strength of the signal in the case of free-space propagation. This 
analysis allows us to understand the operating characteristics of an actual quantum cryp- 
tography implementation set up as a free space communications system. The various losses 
that contribute to the complete free space line attenuation a can be assembled into a single 



'^We thank C.P. McClay for assembling this information. 
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Figure 14: Optics Package Loss Comparison Table 

function that can be numerically plotted. Putting together the expressions from eqs. ()179|) . 
dUni), dUSl), dUSl), (Unni), (Unni), and d^nni), we form the complete line attenuation function 
c^free space as the sum of all losses: 

Oifree space (^free space \i^) ^i ^i '-^ Ai i-'B) 

= E^ 

•'-static atmospheric ~r *-bcam spread T ■'-beam wander ~r ^-spatial coherence 

~r •'-quantum coherence ~r •'-scintillation ~r •'-pulse distortion/broadening ~r •'-optics package ; 

(204) 

where the equation of state in the first line above displays only some of the various functional 
dependences that characterize the total line attenuation. As only one example of several 
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additional ones that could be discussed, the dependence on fog conditions that is implicit 
in the term £static atmospheric is not explicitly indicated as part of the functional dependence, 
although it certainly needs to be specified in order to obtain a concrete numerical result (and 
in practice this is done by providing fog data in an appropriate input file for the FASCODE 
runs discussed in Section 4.1.2 above). 

In Figures El and El below we plot the dependence of this loss on the diameter of the 

Total Line Attenuation Curves for 30 cm Transmitter Optics ("Alice") and Photon Qubits at X^1550 nm 
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Figure 15: Line Attenuation for A = 1550 nm 

aperture of Bob's receiving instrument, Db-, assuming that the transmitting instrument used 
by Alice has a diameter of Da = 30 cm. These curves are computed for the cases of light 
at wavelengths of A = 1550 nanometers and A = 770 nanometers, respectively. As discussed 
in Section 4.1.3 above, the use of sufficient adaptive beam tilt correction to have effectively 
mitigated the effects of beam wander has been assumed. The static atmospheric transmission 
losses have been computed using the FASCODE computer program as described in Section 
4.1.2 above. The scintillation and beam spread losses were calculated using the Hufnagel- 
Valley 5/7 and CLEAR I atmospheric turbulence models, respectively. For all the curves it 
has been assumed that Alice is located on a LEO satellite at 300 kilometers altitude. The 
solid curves are for Bob located at an altitude of 35000' for arbitrary slant angle, and the 
dashed curves are for Bob located at mean sea level for different slant angles of degrees 



104 



Total Line Attenuation Curves for 30 cm Transmitter Optics ("Alice") and Photon Qubits at X=770 nm 
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Figure 16: Line Attenuation for A = 770 nm 

and 45 degrees. We have assumed that clear weather conditions apply for the curves in both 
Figure ITHl and Figure ITHl^^ 

As an example, inspection of Figure ITHl reveals that, at A = 1550 nanometers for a value of 
Da = 30 cm and with Bob on an airborne platform at 35000 feet, in order to achieve a line 
attenuation amount of -10 dB it is necessary for Bob to use a receiving instrument with an 
aperture of 58 cm. If we switch to a wavelength of 770 nanometers, inspection of Figure El 
reveals that roughly the same size of aperture for Bob will produce a line attenuation value 
of -5 dB.63 



^^As mentioned in Section 4.1.2 above "clear weather" conditions arc defined as yielding 23 kilometers 
visibility. 

^■^An analysis is given in [HJ of the Ground/ Orbiter Lasercomm Demonstration (GOLD) free-space optical 
communications experiment carried out between Table Mountain Facility near the Jet Propulsion Laboratory 
in Pasadena, California and the (geosynchronous) Japanese ETS-VI satellite. Both the predicted values and 
the measured values given there for the losses are larger than the values predicted in our analysis. This 
is due to the fact that the authors of [Sj have defined and calculated system losses by making use of the 
generic radar equation, in particular modelling optical elements as antennas. When the appropriate antenna 
gain quantities are taken into account, the predicted and measured values given in |SJ become consistent 
with the predicted values for the line attenuation given here, after substituting LEO for GEO. 
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4.2 System Losses: The Line Attenuation - Optical Fiber 

The line attenuation for a QKD system with optical fiber as the quantum channel is expressed 
in a different way from that for a free space quantum channel. The general expression is 
given in this case as 

^ fiber ^^^ fiber \^ fibers ^j "'J 

= 10 -^ — , (205) 

where L fiber is the length of the fiber cable connecting Alice and Bob. In this expression A is 
a parameter that measures the intrinsic loss characteristic, per unit length, of the fiber (this 
is a quantity essentially "built in" at the factory where the cable is manufactured) and k is 
the "bulk loss" constant associated with the fiber that includes, for example, splicing losses 
due to the presence of spliced links of fiber. At the present time it is possible to obtain optical 
fiber cable of high quality for the transmission of 1550 nanometer wavelength light that has 
an intrinsic attenuation constant oi A = 0.2 dB/kilometer. In addition to the attenuation, 
per se, along the fiber, one must also take into account the intrinsic channel error, r^, which 
is caused by the phenomenon of dispersion of photon arrival times as the pulse propagates 
from the Alice to Bob sites. As we will discuss below, this problem can be mitigated by 
including appropriate segments of so-called "compensating" fiber in the channel. Each such 
inserted link, however, introduces a contribution to the value of the bulk loss constant k, 
thereby affecting the net value of a fiber- Thus, in the case of an optical fiber implementation 
of quantum cryptography, the intrinsic channel error Tc and the line attenutuation a fiber are 
"connected" to each other in a way that is not the case for a free space implementation, as 
we discuss below. 



4.3 The Intrinsic Channel Error 

The effective secrecy capacity S exhibits a sensitive dependence on the intrinsic quantum 
channel error parameter r^. Relatively small changes in the value of the intrinsic channel 
error can have a significant effect on the magnitude of the effective secrecy capacity and 
total throughput rate of a practical quantum cryptography system, even if all other sources 
of system loss have been mitigated. In this section we analyze the characteristics and causes 
of this source of error. 



4.3.1 Free Space Quantum Channel 

The intrinsic channel error, Tc, is the parameter that measures the tendency of the free space 
QKD system characteristics to cause the states transmitted by Alice to suffer polarization 
misalignment by the time they are detected by Bob. For a free-space quantum channel the 
depolarization rate will be determined principally by the actual angular mismatch between 
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the Alice and Bob instruments as the platforms supporting one or the other or both of them 
move. This will occur, for instance, if Alice is on a satellite and Bob is located at a ground 
station, or perhaps on another moving platform. 

In Appendix A it is demonstrated that, if the relative angular mismatch between the Alice 
and Bob instruments is denoted by S, the fractional error rate due to polarizer misalignment 
is given by 

re = sin^ (5) . (206) 

Thus, even if 6 is as large as 1/10 radian (5.7 degrees) the probability of error is less than 
1%. Since S is relative angular mismatch between Alice and Bob, the solid angle cone within 
which relative motion is allowed (for a given value of r^) is 26. Thus if the platforms on 
which Alice and Bob are located can be subjected to attitude control such that corrections 
can be applied that allow motion through a cone of solid angle of no more than 11.5 degrees, 
the intrinsic channel error can be made to satisfy Vc < 0.01. This constraint on the necessary 
real-time control of the attitude of a satellite on which the Alice device could be placed and 
on telescope adjustment requirements is well within the currently achievable state-of-the-art 
|52| l53] . and it is therefore reasonable for us to employ a value of Tc = 0.01 in the effective 
secrecy capacity in computing the operating characteristics of a free space implementation 
of quantum cryptography. 



4.3.2 Optical Fiber Quantum Channel 

In the case of a fiber-optic quantum channel, the dispersion characteristics of the fiber will 
generate an intrinsic error rate. Dispersion causes the shape of the transmitted pulse to 
spread as it travels along the fiber. We envisage an optical fiber cable-based QKD sys- 
tem built using single mode telecom fiber, used to transmit signals at a wavelength of 
1550 nanometers. In this situation we are primarily concerned with two types of disper- 
sion that appear in available optical fiber cables: (1) chromatic pulse dispersion (CD), and 
(2) polarization-mode pulse dispersion (PMD). Because we neither advocate nor analyze 
a QKD system built from multi-mode fiber we will not be concerned with other types of 
dispersion effects that can arise, such as modal dispersion. 

If the effects of dispersion along the cable are not mitigated this will specifically appear as a 
certain amount of dispersion of the photon arrival time of the transmitted signal as received 
by Bob. The figure-of-merit in assessing this is provided by comparing the dispersion delay 
time with the appropriate characteristic critical time, which is given by the bit cell period 
r (the reciprocal of the pulse repetition frequency) of the data source laser at Alice. In the 
special case of an inteferometry-based quantum cryptography system as described in [S^I55j . 
one should compare the dispersion delay time with two generally different characteristic 
critical times, the bit cell period r as before, and the coherence time, Tcoh associated with 
the data source laser. 
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Chromatic Pulse Dispersion 

Chromatic pulse dispersion stems from the dependence of the index of refraction on the wave- 
length. In more detail, chromatic dispersion in a fiber is partly due to "material dispersion," 
the dependence of the fiber core index of refraction on the wavelength, and to "waveguide 
dispersion," the dependence of the constant propagation mode on the wavelength. For single 
mode fibers that transmit light at 1550 nanometers wavelength, the amount of chromatic 
dispersion, dcD, is given by 

picoseconds 



ICD 



(207) 



nanometer ■ kilometer 
which corresponds to a chromatic dispersion pulse delay time, tcd, of 

TCD = dcD ■ L ■ AX 

~ 160 picoseconds (208) 

for a cable link of L = 50 kilometers, assuming a laser source with a linewidth of AA = 
0.8 nanometer. To compare this with the two characteristic times we assume that the source 
laser has a coherence time T^oh of at least 1 nanosecond, or T^oh = 1000 picosecond. We 
therefore have 

rcD < Tcoh , (209) 

and no mitigation of chromatic pulse dispersion is required on this basis. However we see 
that the requirement 

TCD < T (210) 

means that we must mitigate chromatic pulse dispersion if we use a fast data source laser with 
a bit cell period shorter than 160 picoseconds, corresponding to a pulse repetition frequency 
greater than 6.25 GHz. As we discuss below, we envisage the use of high speed lasers with 
pulse repetition frequencies of 10 GHz. We conclude that chromatic pulse dispersion needs 
to be mitigated if we utilize a high speed laser with a pulse repetition frequency of 10 GHz 
(corresponding to a bit cell period of 100 picoseconds). Mitigation of this problem can be 
accomplished by making use of appropriate lengths of dispersion compensation fiber spliced 
into the line to reduce the photon arrival time dispersion to less than approximately 50 
picoseconds. (As discussed in Section 4.2 above, each additional inserted cable link will 
increase the line attenuation by increasing the splicing loss.) 

Polarization- Mode Pulse Dispersion 

Polarization-mode dispersion due to intrinsic and induced birefringence will cause the pulses 
to broaden as they propagate along the fiber jSHl- In currently available good quality single 
mode fiber operating at a wavelength of 1550 nanometers, the amount of polarization-mode 
dispersion, dpMD, is typically given by^'' 

picoseconds 
dpMD^ 0.1 —. ^ , (211) 
vkilometer 



^*In this example we have used representative sample numerical values appropriate for Lucent True Wave 
fiber. 
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The corresponding polarization-mode dispersion pulse delay time, tpmd, is given for a cable 
link of L = 50 kilometers by 

TpMD = dpMD ■ VL 

~ 0.7 picoseconds . (212) 

We see that, again assuming a laser coherence time of 1 nanosecond, this polarization arrival 
time dispersion strongly satisfies the requirement 

TpMD < Tcoh ■ (213) 

Furthermore we see that the requirement 

TPMD < r (214) 

is satisfied unless the pulse repetition frequency of the laser is greater than Tplip, = 1.43 THz. 
The current state-of-the-art in photon detection and data correlation is such that this value 
does not furnish a constraint. Thus, polarization- mode dispersion will not be a practical 
problem. 

4.4 System Loads 

In the previous section we analyzed the various losses that together reduce the effective 
throughput of a QKD system. In this section we consider the complete set of system loads 
that together must be taken into account as well to establish a bound on the achievable data 
rate. Our analysis includes careful calculations of the cost in bits of maintaining continuous 
authentication of the QKD protocol, the throughput requirements on the classical communi- 
cations channel, and the computational requirements measured in machine instructions that 
must be satisfied in order to carry out real-time processing of the key. 

Although these processes are crucial to the implementation of any QKD system, there has 
been essentially no explicit, quantitative analysis of any of them presented heretofore in the 
literature on the subject. In the case of the authentication cost this seems to stem from 
the erroneous notion that an initially supplied, "short" authentication string shared between 
Alice and Bob will suffice to protect the protocol from spoofing. This is mistaken: (1) either 
the initially supplied, shared authentication string is indeed "short," in which case in due 
course it will be used up and must be replaced by removing bits from the key generated by 
the QKD protocol itself, or (2) the initially supplied, shared authentication string is in fact 
"long," in which case a primary justification for the use of quantum key distribution in the 
first place is severely weakened. In the case of the communications throughput load, the 
potential use of QKD on satellite systems in particular, clearly requires a detailed analysis 
of the constraints that must be satisfied by the specialized satcom equipment that will 
be used, and similar importance attaches to the computational burden, again with special 
consideration for the satellite problem, owing to obvious space constraints on the computing 
hardware that can in practice be installed on a spaceborne platform. 
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4.4.1 The Cost of Continuous Authentication 



General Remarks 



Prior to the error correction phase, the BB84 protocol furnishes Alice and Bob with a block 
of n bits, of which Eve has managed to obtain an amount of information equivalent to at 
most t + u bits by making undetected measurements of single photon pulses and by using 
some combination of direct and indirect attacks on the multiple photon pulses. The blocks 
obtained by Alice and Bob are not identical due to the errors introduced by imperfections 
in the physical apparatus. By listening to the public transmissions by which Alice and Bob 
eliminate the errors from their blocks. Eve is able to obtain additional information about 
Alice and Bobs bits, giving her a total of at most q + t + u bits of information about the error- 
corrected block. As the last step of the process, Alice and Bob use a privacy amplification 
technique as described in J21I to arrive at a block of bits that is shared identically between 
them and about which Eve is expected to have no information to a high degree of confidence. 
This section describes the details of a specific implementation of the error correction and 
privacy amplification process. It is assumed throughout that Eve has complete knowledge 
of the protocols, as well as unrestricted access to all communications between Alice and Bob 
that occur during this period. 

Our description of these protocols is intended to achieve two goals. The first is to determine 
the authentication cost of the protocols. This authentication cost is the number of shared 
secret bits that need to be sacrificed in order to guarantee that the protocols perform cor- 
rectly, that is, that execution of the protocols results in some predictable amount of secret 
key material that is shared identically between Alice and Bob but about which Eve has no 
information with a high degree of confidence. Since the authentication cost represents a sac- 
rifice of previously existing key material in order to guarantee the generation of a new block 
of key material, this cost has a direct impact on the rate at which keys can be generated. 

The second goal is to estimate the burdens these protocols place on computational and 
communications resources. Unlike the authentication cost, these costs have no direct effect 
on the rate of key generation, but they do provide an estimate of the computational and 
communications resources required to support key generation, resulting in constraints on the 
rate of key generation for given set of resources. In addition, the fact that the computational 
complexity is quadratic in the block size of the key material results in a practical upper 
bound on the block size, again for a given set of computational resources. 

We begin by giving a brief overview of the protocol. The first phase is the production of a 
sifted string of bits shared, except for some errors, by Alice and Bob. This is achieved by 
applying the BB84 protocol previously described. If the equipment were perfect and there 
were no possibility of errors, the sifted strings would be identical and any attempt by Eve 
to obtain more than a few bits would be revealed by the presence of errors in the sifted 
string. Since this is not the case for a practical implementation, it is essential to include 
mechanisms to correct the errors and to eliminate information leaked to Eve in the process. 
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The second phase is thus error correction. Ahce and Bob agree on a systematic scheme of 
computing and comparing parities for subsets of the sifted string in order to identify and 
correct the errors. Since Eve can eavesdrop on this discussion, an additional amount of data 
is leaked. The third phase is privacy amplification, during which Alice and Bob apply a hash 
transformation to the error-corrected string which results in a shorter string about which 
Eve's expected information is vanishingly small. At various points during these three phases, 
Alice and Bob must authenticate their communications to ensure that Eve is not making a 
man-in-the-middle attack. 

Sifting Phase 

The first phase of the key distribution protocol is the generation of an initial sifted string 
that is shared between Alice and Bob, but which may contain errors and about which Eve 
may have partial information. We describe a specific implementation of the BB84 protocol. 
Alice generates two blocks of m random bits. The first block is the raw key material, and the 
second block determines the choice of basis she uses to transmit the bits over the quantum 
channel. Bob generates a single block of m bits that reflect his choice of basis in measuring 
the incoming qubits. Bob must now identify to Alice those pulses for which he detected a 
qubit and inform her of his choice of basis for those pulses. Bob has several choices available 
in deciding how he wants to encode this information. The simplest approach is to send 
two bits corresponding to each of Alice's pulses. The first bit tells whether a photon was 
detected, the second describes the choice of basis. This means that Bob must send 2m bits 
to Alice for each block of key material. A more efficient version of this scheme is to send 
the second bit only when the first bit indicates that a photon was detected. In this case. 
Bob only sends m + 2n bits on average. (The factor of 2 in 2n comes from the fact that 
Bob's choice of basis agrees with Alice's on average half of the time, so that there are twice 
as many detected photons as there are bits in the sifted key.) Since we always have 2n < m 
this alternative is no less efficient than the first, and usually it is more efficient. A third 
alternative is to send two pieces of information for each detected photon, the first indicating 
for which of the m bit cells the photon was detected, and the second giving Bob's choice of 
basis. This requires that Bob send 2n (1 + log2T7i) bits for each block of key material. This 
alternative is more efficient than the others when 

2n\og2'm<m, (215) 

Since we are primarily concerned with situations in which m » n, this is normally the most 
efficient of the three alternatives thus far discussed. More efficient encodings are certainly 
possible. For instance one might imagine sending differences between successive indices 
instead of the entire index. For purposes of obtaining reasonable estimates of the commu- 
nications cost without overcomplicating the analysis, the third alternative is a reasonable 
choice, and we will proceed by restricting the protocol to this case in subsequent discussions. 

Once Alice has received Bob's information, she compares Bob's basis choices with her own 
and informs Bob of the results. Alice can accomplish this by sending Bob a single bit 
corresponding to each of the photons Bob detected, giving a total of 2n bits. 
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We now augment the protocol with provisions that will prevent Eve from making the so called 
man-in-the-middle attack. In this attack, Eve interposes herself between Alice and Bob, 
measuring Alice's pulses on the quantum channel as though she were Bob, and generating 
a distinct set of pulses to send to Bob as though she were Alice. In all her subsequent 
correspondence with Alice over the classical channel, she responds just as Bob would, and in 
all correspondence with Bob she plays the role of Eve. After the first phase of the protocol. 
Eve has two blocks of sifted keys, one of which she shares with Alice and the other with Bob. 
Assuming she can continue this attack through the error correction and privacy amplification 
phases, she will have completely compromised Alice and Bob's ability to use the keys to 
transmit secret information. In fact. Eve will be able to decipher any encrypted information 
sent between Alice and Bob, always passing the ciphertext to the intended recipient so that 
neither Alice nor Bob is any the wiser. 

In order to prevent this state of affairs, it is necessary to provide an authentication mechanism 
to guarantee that the transmissions received by Bob were sent by Alice, not Eve, and that 
the transmissions received by Alice were sent by Bob. Wegman and Carter j^Hl describe an 
authentication technique that is well suited to this problem. The authentication works as 
follows. Alice and Bob first agree upon a suitable space of hash functions to be used for 
authentication. All details of their agreement may be revealed to Eve without compromising 
the authentication. For each message that is to be authenticated, Alice picks a hash function 
from the space that is known to Bob, but not to Eve. She does this by using a string of 
secret bits that is known only to herself and Bob as an index to select the hash function. 
She then applies the hash function to the block of raw data to produce an authentication 
key. This authentication key is transmitted to Bob along with the message. Bob uses the 
same string of secret bits to pick the same hash function, applies it to the message, and 
compares the result with the authentication key sent by Alice. If they match. Bob concludes 
that Alice, and not Eve was the sender of the message. Wegman and Carter describe a class 
of hash functions such that the probability that Eve can generate the correct authentication 
key without knowing the index used is vanishingly small. Let A^i denote the precondition 

( P^ 

that Eve has obtained a copy of the message to be authenticated and 7^ denote the set of 
outcomes in which Eve guesses the tag for the message. The probability of such an outcome 
is 

P(T/^^|A1i) = 2-^-"*S (216) 

where gauth depends on the space of hash functions Alice and Bob have chosen to use for the 
protocol. It can be made as large as desired by making the space sufficiently large. Alice 
and Bob do pay a price for increased confidence. A larger space of functions requires a 
larger set of indices, and thus a longer string of secret bits must be sacrificed to perform the 
authentication. The other restriction on the protocol is that a new hash function, and thus 
a new index, must be used for each message to be authenticated if we desire to maintain 
this upper bound on Eve's ability to spoof the authentication process. If we allow Eve to 
obtain one prior message and tag, denoted as AiiTi, and then allow her to obtain the next 
message, denoted as 7VI2J as well as the information that Alice and Bob intend to use the 
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same hash function for both, her chances of guessing the second tag improve only shghtly to 

V{%^^'^\MiTiM2) = 2^~3autH _ (217) 

If we allow additional messages to be authenticated using the same hash function, Wegman 
and Carter's analysis provides no upper bound on Eve's ability to produce a correct au- 
thentication tag. Although it would be more efficient to allow the same hash function to 
be applied exactly twice, we will consider the simpler case in which a new hash function is 
picked for each message. 

We now consider which transmissions need to be authenticated. We will not attempt to 
authenticate the communications on the quantum channel. Any man-in-the-middle attack 
by Eve on the quantum channel will become evident when the error correction process reveals 
that there is no correlation between the Alice and Bob's sifted strings. Eve also gains no 
advantage from a selective attack on a subset of the pulses sent by Alice. Suppose Alice and 
Bob predict an expected number of errors (e-r) based on the known physical properties of 
the channel and their equipment. They then select a maximum threshold value e^"^ > (ct) 
so that, if the measured error rate is greater than the threshold, that is, if 

e™^'^* > er"" (218) 

then they will conclude that Eve has interfered with the quantum channel, perhaps by making 
a man-in-the-middle attack, and will terminate processing for that block of data. There is 
still the possibility that e^'^"''^ < e™"^, but that Eve has nevertheless corrupted the quantum 
channel. In this case, the protocol proceeds as usual, the additional errors are identified and 
corrected, and the information leaked to Eve is removed during privacy amplification. This 
type of attack falls under the category of an attack on secrecy that has no effect other than 
to reduce the overall generation rate of key material. 

Authentication is required for the classical discussion of Alice and Bob's choice of bases and 
the identification of the pulses received by Bob. If there is no authentication of this step. 
Eve can successfully mount the man-in-the-middle attack which results in two sets of keys, 
one shared between Alice and herself, the other between Bob and herself. Authentication 
guarantees Alice and Bob that they are working with the same subset of the pulses sent by 
Alice and that any remaining errors are due to physical imperfections of the equipment or 
attempts by Eve to measure, and therefore disturb, the pulses sent by Alice. 

The authentication of the classical discussion results in a cost to the overall rate of quantum 
key generation, since some of the secret bits produced by previous iterations of the protocol 
must be sacrificed to generate an authentication tag that Alice or Bob can validate but that 
Eve cannot forge. Wegman and Carter [3^] show that the size of the secret index required 
to select a hashing function is 

w {g, c) = A{g + log2 log2 c) log2 c (219) 

where c is the length in bits of the message to be authenticated and g is the length in bits of 
the authentication tag. Note that g determines the degree of confidence in the authentication 
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according to eq. ()216|) . in which g is denoted Qauth- We define the parameter Qauth as the 
length of the authentication tags used in this protocol. The first message to be authenticated 
is Bob's transmission of the indices of the detected pulses and his choice of basis for each. 
The length of the message is 

ci = 2n (1 + log2 m) , (220) 

giving an authentication cost of 

wi = A^^gauth + log2 log2 2n(l + log2 m) } logs 2n(l + log2 "^) • (221) 

The second message is Alice's transmission of her choice of basis for the pulses that Bob 
detected. The length of the message is 

C2 = 2n , (222) 

and the corresponding authentication cost is 



W2 



Qauth + log2 log2 (2ra) logs (2?^) • (223) 



We consider next the load this phase imposes on the classical communication channel. We 
assume that the communication protocol employs some form of error-correction coding that 
increases the length of the message by a factor xec |SZI- The protocol then breaks the 
message into packets of length ntp and adds an amount of frame overhead fo to each packet. 
Finally, the authentication tag is sent as a single packet, on the assumption that the tag size 
after encoding for error correction is less than mp. 

XEC9auth < fUp (224) 

This is a reasonable assumption, as we generally will take Qauth < 50, xec ~ 2, so that we 
only require rUp > 100, which is easily achieved for typical optical ground-to-satellite links 
or terrestrial fiber optic channels. The number of packets sent from Bob to Alice is then 

^^, = ^XEc2nil + log,mh ^ ^ ^225) 

TUp 

and the load in bits carried by the channel is, approximately. 



C^'H, - (1 + — 



'B-^A 



TUp^ 



Xsc2n(l + log2m) 



+ {XECgauth + fo) , (226) 

where we have used the packetization approximation described in Appendix B. The commu- 
nication from Alice to Bob required for sifting is given similarly by 

+ {xECgauth + fo) . (227) 
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Error Correction Phase 

At this point Bob and Alice move on to the error correction phase. We will estimate the 
authentication, communication, and computational costs for a modified version of the error 
correction protocol described by Bennett et. ai, |21I. More efficient techniques have been 
developed, for example the "Shell" and "Cascade" protocols described in jSHl; but the method 
described here is more suitable for our purposes since it is simpler to analyze and can be 
expected to provide a practical upper bound for the communications cost. 

At the beginning of the error correction phase, Alice and Bob each have a string of n bits. 
The strings are expected to be nearly identical, but they will also contain errors for which 
Alice and Bob disagree on the value of the bit. It is the goal of error correction to identify 
and remove all of these errors, so that Alice and Bob can proceed with a high degree of 
certainty that the strings are identical. Error correction consists of three steps. The first 
step is the error detection and correction step, which eliminates all or almost all of the 
errors. The validation step which follows eliminates any residual errors and iteratively tests 
randomly chosen subsets of the string to generate a high degree of confidence that the strings 
are identical. The final step is authentication, which protects against a man-in-the-middle 
attack by Eve during the error correction process. 

At the beginning of the error detection and correction step, Alice and Bob each shuffle the 
bits in their string using a random shuffle upon which they have previously agreed. The 
purpose of this shuffle is to separate bursts of errors so that the errors in the shuffled string 
are uniformly distributed. Alice and Bob may use the same shuffle each time they process a 
new string of sifted bits, and security is not compromised if Eve has complete prior knowledge 
of the shuffling algorithm, even including any random numbers used as parameters. 

The error detection and correction step is an iterative process. Alice and Bob begin each 
iteration i by breaking their strings into shorter blocks. The block length is chosen so that 
the expected number of errors in each block is given by a parameter g. The number of blocks 
in the string is then 

(228) 



J» = 




and the average number of bits per block is 




fc« = 


n 



(229) 

where e^ is the expected number of errors remaining after the zth, or at the beginning of the 
i + 1st, iteration. In principle the parameter g could change from iteration to iteration. We 
assume that it is a constant to simplify the analysis. Alice and Bob compute the parity of 
each of the blocks and exchange their results. Blocks for which the parities match necessarily 
contain at least one error. For each of the blocks in which Alice and Bob have detected an 
error, they isolate the erroneous bit by a bisective search, which proceeds as follows. Alice 
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and Bob bisect one of the blocks containing an error, that is, they divide it as evenly as 
possible into 2 smaller blocks. Alice and Bob each compute the parity of one of the blocks, 
say the one that lies closer to the beginning of the shuffled string, and exchange the results. 
If the parities do not match, the error is in the lower block. If they match, the error is in 
the upper block. Alice and Bob then bisect the block that contains the error and proceed 
recursively until they find an erroneous bit. Bob then inverts that bit in his string, and in 
so doing the error is removed. 

We have described the bisective search as though the search were completed for any block 
containing a detected error before beginning the bisection on the next block. In fact, it is 
more efficient from a communications standpoint to apply each bisection to all the blocks 
with detected errors at the same time, exchange parities for all of the sub-blocks, and then 
to proceed recursively to the next bisection. This results in fewer, but larger, packets of data 
for each exchange between Bob and Alice, thus reducing the overall frame overhead. 

When the bisective search is completed for all blocks in which an error is detected, a new 
blocksize is computed based on the expected number of errors remaining, the string is broken 
up into a new set of larger blocks, parity checks are compared for the blocks, and bisective 
searches are made in those blocks containing detected errors. This process is repeated until 
there would be only one or two blocks in the string for the next iteration, that is, until 

J(^i+^) < 2 , (230) 

where Ni is the number of iterations in the error correction and detection step. An equivalent 
stopping criterion is that the blocksize for the subsequent iteration is more than half the 
length of the string, that is 

fc(^^+i) > ^ , (231) 

and the expected number of errors remaining after the final iteration satisfies 

eP = ei^'^ < 2g . (232) 

We summarize here some important results that are needed for an analytical description of 
the communications required to support this part of the error correction phase. As shown 
in the appendix "Statistical Results for Error Correction," the expected number of errors 
remaining after the ith iteration is 

e? ~ f3'eP , (233) 

and the expected number of errors found and corrected in the ith iteration is 
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ey ^ (1 - /?) (3'"'elr' , (234) 

where /3 is defined by the expression 

. ^^^ . (235) 

We obtain the number of iterations in the error detection and correction step by setting 
j(7Vi+i) < 2, which gives 



iVi 



rlog ^- 



i2 g(0) 



(236) 



logs/? 
and the expected number of remaining errors becomes 

eP-f^'^'eP -2g. (237) 

The second step in the error correction phase, vahdation, is also iterative. During each 
iteration, Ahce and Bob select the same random subset of their blocks. They compute the 
parities and exchange them. If the parities do not match, Alice and Bob execute a bisective 
search to find and eliminate the error. Iterations continue until N2 consecutive matching 
parities are found. At this point, Alice and Bob conclude that their strings are error free. 
As shown in the appendix "Statistical Results for Error Correction," the probability of one 
or more errors remaining is 

^(errors after validation) < e^^ [ - J (238) 

the expected number of iterations in which no error is found is given, to a good approxima- 
tion, by 

Nt^ ~ iV2 + e? ~ iV2 + 2^ , (239) 

and the expected number of iterations in which an error is found is 

N^^^ ^ eP ~ 2g . (240) 

The selection of the same random subsets for validation can be accomplished by using a 
deterministic random number generator [21] and resetting the random seed to a predeter- 
mined value at the beginning of the validation phase. We will assume that Eve has complete 
knowledge of the algorithm and the random seed as well. Note that it is to Alice and Bob's 
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advantage to keep the algorithm and seed secret, since Eve can make use of this information 
to interpret the parities she intercepts on the pubhc channel, but it is not essential to the 
secrecy of the overall result, since we eliminate all the information Eve can have obtained in 
privacy amplification. 

The last step in the error correction phase is authentication. Up until now, Alice and Bob 
have made no attempt to authenticate their exchange of parity information on the classical 
channel. Eve could mount a man-in-the-middle attack during the error correction phase that 
would fool Alice and Bob into correcting the wrong set of bits. This would not give Eve any 
additional information about the secret string, but it could result in Alice and Bob believing 
that their strings are identical when in fact they are not. Even if one bit is different, the 
privacy amplification phase will produce strings that are completely uncorrelated, and Alice 
and Bob will still believe that their strings are identical. The solution to this problem is for 
Alice and Bob to verify that their strings are the same at the end of the error correction phase. 
This effectively authenticates their prior communications, since any successful attempt by 
Eve to steer the error correction process will be immediately apparent. 

This approach presupposes that Alice and Bob can verify that their strings are the same 
without leaking too much additional information to Eve. This can be accomplished if Alice 
and Bob apply the same hash function to their strings and compare the resulting tag. This 
does not provide an absolute guarantee that the strings are the same, but if the hash function 
is chosen as described in jHE], the probability that two different strings will yield the same 
tag is 



V (same tag, two strings) = 2 ^^^ , (241) 

where qec is the length of the tag. This gives a high degree of confidence that the strings 
are identical even for relatively short {qec ~ 30) tags. The price Alice and Bob have to pay 
for this is that they must use a portion of the secret bits obtained from previous iterations of 
the protocol to select the hash function, indicate whether the keys match, and authenticate 
their transmissions. 

We introduce a specific protocol for Alice and Bob to carry out the authentication step for 
purposes of estimating the costs associated with this step. Alice and Bob agree to set aside 
a portion of the secret bits derived from each block of the quantum transmission for use 
in processing subsequent blocks. Some of these bits are used for authentication during the 
sifting phase as previously discussed. Some additional bits are required to use as a key to 
select the hash function for the equivalence check. The size of this key is given by eq. (j219p . 
where 



C3 = n , (242) 

is the length of the string to be hashed and qec is the length of the tag, so that the 
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authentication cost for equivalence checking is 

^3 = 4 {gEc + logs log2 n) log2 n . (243) 

Ahce and Bob both compute an equivalence tag using this hash function, and Bob sends 
his to Alice. Bob must also authenticate his message, since otherwise Eve can mount a 
man-in-the-middle attack in which she simply sends an arbitrary tag to Alice, convincing 
her that her string doesn't match Bob's string when, in fact, it does. Although this is only 
a denial-of-service attack, Alice and Bob will not detect the attack unless Bob authenticates 
his message. Since Bob's message to Alice is of length 

C4 = gEC , (244) 

and the authentication tag is of length gauth, the authentication cost for the transmission is 

W4=A {gauth + log2 log2 gEc) logg gEC ■ (245) 

If Alice determines that her equivalence tag matches the one Bob sent to her, and if the 
authentication tag agrees as well, she indicates that the authentication was successful be 
sending gEc secret bits to Bob. The authentication cost for this step is 

W5 = gEC . (246) 

bits to signal her agreement to Bob. Alice must also authenticate this message to protect 
against a man-in-the-middle attack by Eve. The length of the message to be authenticated 
is: 

C6 = gEC (247) 

and the authentication tag is of length gauth so that the authentication cost is 

We = 4: {gauth + log2 log2 gEc) log2 gEC ■ (248) 

Classical communications between Alice and Bob are required in each step of the error 
correction phase. During each iteration of the error detection and correction step. Bob sends 
to Alice a single transmission containing the parities computed for each of the J*^*^ blocks. 
Alice sends a similar transmission to Bob containing her parities. For each such iteration, 
the communication load in bits in each direction is approximately 
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(249) 



where we have used the packetization approximation described in the appendix. Then, for 
each block containing a detected error, Ahce and Bob bisect the block and exchange the 
parities of the the bisected blocks. This requires a communication in each direction of 
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bits. The bisective search repeats for a total of [log2 /c*-*^] iterations. The total communica- 
tions load in bits for this step is thus 
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For the next step, Alice and Bob each compute the parity for a random subset of their strings 
and exchange the results. One bit of parity information is sent in each direction, so that 
the communication load is xec + fo bits in each direction. If the parities are different, Alice 
and Bob carry out a bisective search for the error, resulting in [1 + log2 |] transmissions of 
Xec + fo bits in each direction. This is repeated until A'^2 successive parities match. The 
communications load for this step is then 
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where N2 is the number of iterations which do not find an error and N2 is the number of 
iterations which do find an error. 

In the third step, authentication. Bob sends to Alice an equivalence tag of length qec and 
an authentication tag of length Qauth giving a communication load of 
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bits. Alice sends a confirmation string of length qec and an authentication tag of length 
Qauth for a communications load of 
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(254) 



bits. Note that we have implicitly assumed that the tags are short enough to send in a single 
packet. Since the tags are typically less than 50 bits, this amounts to a requirement that 
the packet size rup exceed 200 bits so as to accomodate two tags plus error correction codes. 
This is a modest constraint on the optical communications system. 



120 



Collecting all of the contributions to the communications load, we obtain the following 
expressions for the load during the error correction phase: 
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The communications load can be expressed in terms of the fundamental quantities n,erp , and g 
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where we have approximated the results by disregarding the rounding up of real quantities 
to integers, and 



^1 .x ^1 / nn 

Elog2fc«e« ^ Elog^K^ 



),4-' 



iVi 
- El0g2 



^^)(i-/J)^'-H»' 



-T 



4»'|.o.(f](i-,.". 



/5l0g2/5 

1-/5 



A^i/?^i-^ + (iVi-l)/5 



A^i 



(25^ 



121 



where a similar approximation is made. Inserting these results and eqs. 
eq. ()255p gives the following expressions for the communications load: 
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Since parity information is exchanged over a classical channel, and since we assume that all 
classical communications are intercepted and correctly interpreted by Eve, we must therefore 
assume that some information about the strings shared by Alice and Bob is leaked to Eve 
during the error correction phase. The degree to which this protocol leaks such information 
is an important characteristic of the protocol. As was seen in Section 3.1.3, the theoretical 
lower bound on this leakage is given by (c/eq. 
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where h is the binary entropy function. We estimate the leakage qp associated with our error 
correction protocol by counting the parity bits that were exchanged during error correction. 
During each iteration of the first step, 1 bit of parity is leaked for each of the J^*-* blocks, 
and an additional [log2 /c*-*-*] bits is leaked for each block in which an error was detected. 
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During the second step, one bit is leaked for each iteration that does not reveal an error and 
[1 + log2 |] bits are leaked for each iteration that does reveal an error. The total is thus 
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Using eqs. ^E7^, (EHl dM), and 
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Information Leaked During Error Correction 
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Figure 17: Information Leaked During Error Correction 

Figure El is a comparison of the information leaked by the protocol to the theoretical min- 
imum for error correction parameters q = 0.5 and A'^, = 30 and for a sifted string blocksize 
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Ratio of Information Lealced to Sliannon Limit vs. Error Fraction 
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Figure 18: Ratio of Information Leaked to Shannon Limit versus Error Fraction 

n = 2 X 10^ bits. The results are plotted as a function of the error fraction Crp /n. As 
expected, the theoretical minimum represents a lower bound for the result predicted for the 
protocol. The ratio of the predicted leakage to the theoretical minimum, qp/qmin, is shown 
in Figure ^1 The ratio diverges at very low error rates due to the fact that some parity bits 
are exchanged even if there are no errors in the string. (This divergence is not apparent on 
the scale of the figure.) The discontinuities in the curve occur at points where an increase in 
the error rate causes additional iterations at some point in the protocol. For error fractions 
between 2% and 10%, the ratio fluctuates between about 1.2 and 1.5, indicating that the 
actual protocol can be expected to leak up to 50% more information than the theoretical 
minimum. 

Figure El shows the ratio qp/qmm as a function of g for an error fraction e^p /n of 1%. 
This indicates that a choice of g in the neighborhood of 0.5 results in minimum leakage of 
information relative to the theoretical minimum for this choice of sifted string size and error 
fraction. 



Privacy Amplification Phase 

The general scheme of privacy amplification is described in j21] and jHOl • The hash functions 
map a sifted, error corrected string of length n to a string of length L, where 



L = n — Crp' — q — t — u — a — g^a ■ (264) 

The resulting string is shorter than the sifted string by the number of bits that Eve may have 
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Figure 19: Ratio of Information Leaked to Shannon Limit versus g 

obtained by listening to the classical discussion, plus an additional parameter gpa. In j21j it 
is shown that the expected information, J, that Eve can retain about the hashed string is 
bounded by a quantity that can made very small by a suitable choice of Qpa'- 



I < 



In 2 



(265) 



Hash functions appropriate for privacy amplification are described by Carter and Wegman 
|6nj . The class of hash functions used for authentication and equivalence checking is not 
practical for privacy amplification due to the much larger size of the output string. The 
authentication hash functions are designed to produce output strings that are no more than 
half as long as the input string. Since we wish to retain as much information as possible, it is 
clearly advantageous to use hash functions that can produce an output string that is nearly 
as long as the input string. Furthermore, recall that the length of the index for choosing an 
authentication hash function is 



w{g, 



4 (fl- + log2 logs c) loga c 



(266) 



where c and g are the lengths of the input and output strings, respectively. For purposes 
of authentication and error correction, an output string of length g < 50 is adequate, and 
the length of the index is relatively short even for long input strings due to the logarithmic 
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factors. In privacy amplification, where the output string is nearly as long as the input 
string, this index is roughly 4 times as long as the string to be hashed. In contrast, the 
hash functions suitable for privacy amplification are described by two parameters, each as 
long as the input string, so that the total size of the index is only twice as long as the 
input string. Since the index represents shared secret bits that must be sacrificed in order to 
achieve privacy amplification, it is desirable to use the class of hash functions that requires 
the shorter index. The Carter- Wegman functions described in jHO] are a good choice for 
privacy amplification since they are capable of producing keys nearly as long as the input 
and since they require shorter indices for their definition given the large size of the output 
strings. 

The error correction phase guarantees that the strings Alice and Bob have obtained are 
identical to a high probability. Bob and Alice implement privacy amplification by agreeing 
on an index and applying the hash functions separately to their strings. The resulting 
strings are identical and secret in the sense of privacy amplification fcf eq. ()265|) ). Note that 
the sifting protocol itself supplies random strings of sufficient length to define the required 
hash index. Bob's choice of basis for the 2n pulses he receives is one such source. Another 
alternative is to compute the parities of the indices Bob sends to Alice by which he identifies 
which pulses were detected by his equipment. 

The privacy amplification protocol requires no communications between Alice and Bob, 
as described in Section 3.1.6 above. The security parameter gpa is an additional secrecy 
cost incurred due to privacy amplification, but privacy amplification entails no additional 
authentication cost. 



Total Continuous Authentication Cost 

The total continuous authentication cost is the number of bits from each block of sifted 
bits that need to be sacrificed during the processing of the subsequent block to provide 
authentication and equivalence checking as described above. Collecting the contributions 

from eqs.(|22nD, (EH}, dffl), (E2S1), (EH, (EH, (EH, (EISD, (EIHD, (ElZI), and (EH the 
result is the following sum of six terms: 



a (n, m) 

^{gauth + log2 log2 

+4[fi'anth + log2 log2 (2n) ] log2 {2n) 

+4 {qec + log2 log2 n) log2 n 

+4 {gauth + log2 log2 Qec) log2 QEC 

+gEC 

+4 (gauth + log2 log2 gEc) log2 gEC 
5 

gEc + J2'^j(9j,Cj{fi)) , 



2n (1 + log2 m) > log2 2n (1 + log2 m 



(267) 
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as m eq. 

For example, if we take m = 2 x 10® bits, and n = 2 x 10^ bits to be the processing block 
lengths of the raw and sifted strings, and if we set all security parameters Qi to 30, we obtain 
a total authentication cost of 9.5 x 10^ bits per processing block. For a laser pulse repetition 
rate of 10 GHz, r = 10~^° sec, and the rate at which secret bits are consumed is 

— = 4.7 X 10^ bits/second . (268) 

mr 



4.4.2 System Load: Total Communications Requirements 

The total communications load is the number of bits transmitted in either direction over the 
classical communications channel to support the sifting and error correction protocols for a 
single block of data. Combining eqs. (j226p and (|255p . the result for the Bob-to- Alice link is 



+ iXECQauth + fo 

+E 



i=l 



f 1 + —] XEcJ^'^ + Rog^ k^'^] (l + ^] XEcef 
\ rupj \ rripj ' 



^^t^ {XEC + fo) + iVi^^ [1 + log2 ^1 {XEC + fo) 

+XEC (QEC + Qauth) + fo , (269) 

and the result for the Alice-to-Bob link is 
Ca^b ^ (l + ^]ixEc'2n) 

+ {XEC Qauth + fo) 



+ E 



J" \ 7(i) I n^„ u(ih f 1 I J°\ ,W 



XEcJ^'^ + riog2 A;»l [1 + ^] XEcef 

Nt^ {XEC + fo) + Ni^^ \l + log2 ^1 {XEC + fo) 

XEC {qec + gauth) + fo ■ (270) 



For large m and ra, the sifting transmission from Bob to Alice is by far the largest term. 
Eqs. fj257|) . ()2581 ()386|) . and ()390p can be used to express these in terms of A^2 5e2. ,and q 
if desired. The throughput requirement JH^"^"^ is found by dividing the total load by the 
transmission time mr for a single block on the quantum channel: 

^comm ^ _ (^271) 

TUT 
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Evaluated for reasonable, conservative, values of the parameters {m = 2x10® bits, n = 2x10 
bits, eP = 2 X 10^ bits, r = 10"^° sec, rrip = 1000 bits, xec = '^, fo = 400 bits, g = 0.5, 



9ec = Qec = Qauth = N2 = 30), we obtain a throughput requirement of 

for the Bob-to- Alice link, and 

TV 

for the Alice-to-Bob link.^^ 



= 1600 Mbps (272) 

Boh-to-Alice ^ ' 



= 60 Mbps (273) 

Alice-to-Bob ^ ' 



Figures 1201 1^ 1221 and 1221 show the communication load between Bob and Alice. The 
dependence on n is roughly linear for fixed m. The dependence on m is relatively weak for 
large m and for a fixed ratio njrti. 

4.4.3 System Load: Total Computational Requirements 

In this section we investigate the computational resources that are required to implement 
the sifting, error correction, and privacy amplification algorithms we have been discussing. 
In principle, the processing could be done with special purpose hardware that is designed to 
perform the necessary operations as efficiently as possible. In this analysis, however, we will 
assume that the operations are to be carried out using a general purpose computer. As the 
instruction set of a general purpose computer is not particularly well suited to operations 
such as finding the parities of long bit strings, the results of the analysis should represent a 
conservative upper bound for the processing requirements as compared to what is achievable 
with special purpose devices. 

We ffist analyze the algorithms for sifting, error correction, and privacy amplification into 
processing steps of a size suitable for implementation as assembly language subroutines. The 
steps for Bob's computation that require iteration on the entire string are: 

Pack received polarizations and indices 
(2?T,(1 + log2 m) bits) 

^'^ These values of the required communications bandwidth do not exceed the capabihties of currently 
available optical classical communications technology. As we will see in Section 5.3.2 below, the specific 
numerical parameter values chosen in this example correspond to the case of various free space quantum 
cryptography systems set up between a LEO satellite node and a ground-based (or airplane-based) node. 
Existing classical optical satcom links operating at 1550 nanometers wavelength providing duplex communi- 
cations at rates ranging from 51 Megabits per second to 1.244 Gigabits per second between a ground station 
and GEO satellite have been developed |49| . Thus it is clear that these communications requirements, in 
particular the 1.6 Gigabits per second requirement, can be satisfied for a LEO satellite link, for which there 
is much less attenuation than for the GEO satellite link. As discussed below, it turns out that there arc in 
fact smaller classical communications bandwidth requirements than those given in cas. H272|l and (|273(l for 
a free space quantum cryptography system between a ground station and a GEO satellite, which can easily 
be accomodated by existing communications systems, and the same is true for fiber-optic cable quantum 
cryptography systems. 
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Figure 20: Communication Load from Bob to Alice, Fixed m, Variable n 
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Communication Load from Bob to Alice, Fixed nim. Variable m 
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Figure 21: Communication Load from Bob to Alice, Fixed n/m, Variable m 
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Bob's computational load represents an approximate upper bound for Alice's computational 
load, since Alice does not need to compute an equivalence checking tag, but otherwise has 
to perform computations of comparable complexity. We may thus restrict our discussion to 
Bob's computations without loss of generality. 

We obtain a rough estimate of the total computational load by addressing the computational 
loads associated with each of the above steps. First, we assume that the operations of pack- 
ing, unpacking, sifting, block extraction, bisective search, and parity computation require 25 
assembly language statements (or operations) per bit processed on each iteration. Sections 
of assembly code developed to implement a subset of these operations indicate that this 
should consistently overestimate the required computations. For example, the code segment 
for computing parity included in the appendix requires only 5 operations per iteration. The 
intent of this analysis is to use these conservative estimates for most of the steps in the com- 
putation, but to analyze more carefully those parts of the computation whose contribution 
to the rates is more sensitive to the block size. (Note that computations with loads that are 
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Figure 22: Communication Load from Alice to Bob, Fixed m, Variable n 

strictly linear in the block size lead to rates that are independent of the blocksize, since the 
amount of time available for computation for each block is proportional to the block size.) 

In applying this assumption to the above steps, we note that the initial block parity cal- 
culations for the error detection and correction step process every bit in the string. The 
bisective searches process every bit in the substring under examination, except for 1 bit. 
(For the purposes of this analysis, we simply include the extra bit.) The initial block parity 
calculations for the validation step process half of the bits in the string. 

The estimate of the load for the bisective search in the error detection and correction step 
involves a summation over the iterations internal to the step: 



£Sf^^'^") = 25-Ee?A;«. 



(274) 



i=\ 



This may be expressed in terms of fundamental parameters by using results from the ap- 
pendix "Statistical Results for Error Correction." We obtain: 



L 



{EDC,BS) 



Ni 



25-^(l-/3)/3-H" 



1 (0) Qri 



i=l 



P^-^eP 



25 ■ ^n (1 - /3) Ni 
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Figure 23: Communication Load from Alice to Bob, Fixed n/m, Variable m 
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The computations for the authentication and error correction tags are relatively complex, 
and require more detailed attention. As described by Wegman and Carter, [HE] , the algorithm 
proceeds by partitioning the input string into substrings of length 2s, where 



S = gauth + log2 log2 C 



(276) 



and c is the length of the input string. An auxiliary hash function is applied to each of 
the substrings resulting in a set of strings of length s. The results are concatenated and 
repartitioned into substrings of length 2s. The process is repeated until the concatenated 
string is of length s. The final tag is taken from the lower order bits of this string. The 
hash function is applied [^] times in the first iteration. The length of the input string is 
reduced by one half in each successive iteration, so that the hash function is applied \-:§-^ 
times during the ith iteration. The process continues until 
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or, equivalently, 



^ < 1 , (277) 



Q 

imax > logs - • (278) 

s 
The total number of times the hash function is applied is then 

log2 f 

ntash ^Y. 7^- (279) 

We obtain a rough upper bound by extending the summation to infinity, yielding the simple 
estimate 

Uhash ^ - . (280) 

s 

The hash function itself involves the multiplication and an addition of integers encoded as 
bit strings of length 2s. For (7 ~ 30 and c ~ 10^^ bits, we have, using eq. ()276p . 



2s = 2^ + 21og2log2C~ 70 . (281) 

This is slightly longer than 64 bits, so we will assume that the integer operations operate on 
double words. Each application of the hash function requires three operations: a substring 
of length 2s is extracted from the string, the hash operation is applied to the substring, and 
the substring is inserted into the output string. Assembly code segments for extracting the 
substring and applying the hash operation are presented in the appendix. These segments 
contain 26 and 43 instructions respectively. The code for inserting the result in the output 
string should be roughly as complex as the extraction and will thus require an additional 
26 operations. If we add 15 instructions to handle the loop control, we obtain a total of 
110 operations for each application of the hash operation. The resulting estimate of the 
computational load for the authentication and equivalence checking steps is then 

jr^auth = £|c^ ^ no . £ . (282) 

s 

Potentially the largest contribution to the computational load is the privacy amplification 
hash function. This is due largely to the presence of nested loops in the code that result in a 
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quadratic dependence on the size of the sifted string, n. The assembly code for this function 
is given in the appendix. The resulting load is given by^^ 



,PA .^ i'n\ .„ fn^ ^ 



/:^^^43f-j +46(-j . (283) 

This represents the number of instructions required to perform the hash computation for a 
single block of sifted, error corrected bits of length n. The parameter w is the wordsize of 
the processor in bits. 

We find the total load by summing the contributions from each of the individual steps: 



Cs < Cf 



-25- (2n(l + log2m)) 

_^^Q 2n (1 + log2 m) 

9auth + log2 log2 [2n{l + log2 m)] 
-25 ■ 2n 

2n 
-110 



gauth + log2 log2 (2n) 

+25 ■ 2n 

+25 -n 

+Ni ■ 25 ■ n 

+ 12.5 (l - e^^^) Nin 



A^i"^ + N!iA ■ 25 ■ n 



ivH + ivi^)).25.^ 

+e? ■ 25 ■ ^ 

+25 -n 

n 

+110 

qec + log2 log2 n 

+25 ■ (2n) 

Each term corresponds to one of the steps in the processing. £^ is the "non-iterative" 

^^The authors of jSUj introduce an alternative class of hash functions the computational complexity of 
which is linear in the key size. Use of this class of hash function in privacy amplification could result 
in a moderate reduction in the computational load (as computed in ea. (|289|l below), and/or allow for a 
significant increase in the allowed processing block size |61| . In this case the block size is limited by memory 
requirements and the n (1 + log2 m) term in ea. (|284|l . 
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portion of the load, representing code that executes once for each block of data processed. 
(Note that there may be iterative loops in this code as well. The point is that these loops do 
not represent processing that iterates bit-by-bit through the string.) We simplify the result 
by collecting terms, noting from eq. ()H(i8j) that the residual error count after error correction 
and detection is given approximately by 






2q. 



(285) 



We also drop the double log terms in the denominators, thus replacing those terms by larger 
quantities. The resulting expression is 
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It is instructive to evaluate this expression for the same example used in finding the com- 
munications load. We take the non-iterative contribution to the load to be substantial: 



£^ =10^ operations per block 



^287) 



We take the wordsize of the processor to be 64 bits. The other parameters are as before 



2 X 10^ bits, n = 2 X 10^ bits. 



,(0) 



2 X lO'^ bits, r 



10 



-10 



sec, Q = 0.5, gEc 



[m 

Qauth = N2 = 30). The resulting estimate of the load is 1.1 billion operations per block. 
The quadratic term contributes 450 million operations to the total. Of the other terms, the 
dominant contributions are the term in in N2 + N2 \ which is due to parity checks and 
random block extractions during the validation step of error correction, and the term in 
(1 + log2 m), which is due to sifting. Note that the non-iterative overhead load is negligible 
in comparison with the other contributions. This indicates that a substantial amount of 
"bookkeeping" code can be included along with the core software that is essential to arriving 
at the final secret key without significantly affecting the processing requirements. One of 
the uses of eq. fj286|) is to establish a load budget for such code during software design and 
implementation to ensure that the bulk of the processing resources are available for the core 
software functions. 
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The computation rate 7^^™^ required to support key distribution is found by dividing the 
load per block by mr, the time required to transmit one block over the quantum channel: 

^comp ^ £^ _ ^288) 

mr 

Applying this to our preceding example yields an estimated processing rate requirement of 



j^comp _ gg i-iiUion operations/sec . (289) 

This is rather high for a single general purpose processor, but should be achievable in a 
parallel architecture in which each block of the input data is allocated to a single processor 
as it becomes available. Recall also that general purpose computers are far from optimal for 
this type of operation. Most of the processing steps involving the packing and unpacking 
of the bits would not be necessary in a special purpose device, and many of the other 
processing steps, notably block parity computations and random selection of substrings, 
could be accomplished much more efficiently using special purpose hardware. 
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5 High-Speed Quantum Cryptography 

In this section of the paper we analyze the possibihty of achieving very high data throughput 
rates for a QKD system. We first discuss essential elements that such a system requires, and 
then make use of the analysis in the preceding sections of effective secrecy capacity, system 
losses and loads to deduce universal maximal rates achievable in QKD. 



5.1 Methods to Achieve High-Speed Quantum Cryptography 

There are three different techniques that may be applied to achieve high data throughput 
values: 

• Reducing the value of the bit cell period, r, in the effective secrecy capacity 
or 

• Combining some number of quantum bit transmitting setups together, i. e., combining some 
number of Alice systems together, by multiplexing the outputs into a common bit stream 

or 

• Applying both of the above techniques together. ^^ 

The optimal effective secrecy rate T^opt is inversely proportional to the bit cell period r. For 
the first technique identified above, in decreasing the size of the bit cell period to increase the 
effective rate we need to ensure that Bob's detector apparatus can count incoming photons 
at a correspondingly higher speed as well. A decrease in the bit cell period means that the 
source laser must operate at a higher pulse repetition frequency (PRF) than before, so we 
must also make use of pulsed lasers with the necessary stability to operate at the required 
PRF values. Furthermore, we must ensure that the various opto-electronic components 
and switches can likewise operate at the required high frequencies. The collection of various 
components, all operating at very high repetition frequencies, must be properly synchronized 
together for the protocol to be properly executed. In addition, real-time data recording of 
all necessary quantities must be taken at the required high rate. We discuss in the sections 
below various practical approaches to each of these critical requirements on a high speed 
quantum cryptography system. All of them are requirements that must be satisifed if we 
are to increase the rate by making the bit cell period smaller. 



^^The throughput rate could also in principle be increased by employing a quantum bit generating device 
at the Alice end that, through whatever means, does not generate any multiple particle states. In this 
idealized case the multi-photon privacy amplification function f employed by Alice and Bob could be set 
to i/ = 0, which would result in a significant increase in the throughput rate. If the qubit source produced 
multiple states, but with a smaller likelihood per bit cell than for the Poisson distribution considered in 
detail in Section 3 of this paper, the resulting required value for i/ would lie between and the values of the 
expressions found in cqs.(141) through (151), resulting in an improved throughput rate. 
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The second technique identified above, the multiplexing together of a number of output 
streams into a common transmission, leads us to different concerns. As deduced in Section 
4.4.3 above, the execution of the QKD protocol imposes calculable requirements on the 
necessary computing resources, and for a system operating at a high speed, this is already a 
significant burden for a single Alice device. The required computing resources will be even 
larger for several Alices operating in tandem. As discussed briefiy in Section 3.1.7 above, for 
the multiplexing of several data streams to succeed we must ensure that we are not exceeding 
the computing capacity available to the system. In Section 5.2.6 below we work out how the 
system throughput can be increased while taking into account these computing requirements 
constraints. 



5.2 System Components and Constraints 

In this section we address the practical capabilities of a proposed realistic high-speed quan- 
tum cryptography system, taking into account engineering constraints on the various system 
components. Our purpose here is to illustrate with specific examples that such high-speed 
systems are in principle feasible. These examples of specific components are chosen to sup- 
port the argument that it is possible to design and build such a system entirely out of 
currently available, commercially produced equipment, with the exception of the required 
high-speed photon detectors. For these, we have identified and analyzed the possibilities in- 
herent in a promising new approach to high-speed photon detection, as described in Section 
5.2.1 below.^* The overall design of the Alice and Bob systems, respectively, are illustrated 
in Figures 121] and 123 The general structure of both systems is based on previously proposed 
design concepts [HSl |H2l |Hj. The primary innovation here is the proposed very high speed 
of operation of the system, which we briefiy sketch now. The basic source of the quantum 
bits is a high-speed pulsed laser producing pulses at a PRF of 10 GHz, along with a second 
synchronized laser producing a bright timing pulse. In the Alice system the random choices 
of both polarization bases and states are implemented with two suitable high speed random 
number generators, which operate on a set of three high-speed Mach-Zender interferometers, 
the first intended to select the polarization basis, and the second and third to select the 
specific polarization states. The outputs are balanced by being fed through variable attenu- 
ators, after which they are passed through appropriate filters and put into states of definite 
polarization. These polarized streams are then combined into a common output stream to 
be transmitted through the quantum channel to the Bob system. The necessary real-time 
records of all the random selections for bases and states are obtained via suitable high-speed 
data recording and processing devices, for which appropriate de-multiplexing techniques are 
required, constrained by the speed of available computer data bus rates. The Bob system is 
purely passive, so that all basis and state selection is accomplished, purely randomly, solely 
via optical components. After being passed through a solar filter, the received stream of 
pulses is separated into the data and timing parts by a dichroic beamsplitter, after which 



^®We do not specifically advocate the use of the particular components described herein as necessarily 
comprising the "best" approach to the problem of building a high-speed quantum cryptography system. 
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Figure 24: Block Diagram for Alice System 

the cipher stream is passed through a passive beamsplitter. The "basis stream" outputs are 
sent through two additional polarizing beamsplitters, after which the four separated streams 
are then focussed onto four high-speed photon detectors. As with the Alice system, accurate 
real-time, high-speed recording of the random choices of basis and state are obtained via a 
suitable de-multiplexing scheme. 

The Significance of the 10 GHz System Clock Speed 

What is the significance of the 10 GHz system clock speed we have discussed above? We are 
interested in exploring conditions and constraints that will allow quantum cryptography to 
be implemented at high data throughput rates. The overriding requirement for the success of 
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Figure 25: Block Diagram for Bob System 

such a scheme is to employ robust, stable equipment built from high-speed components. As 
outlined above, this can be achieved by exploiting recent developments in high-speed optical 
communications technology, along with the proposed use of a novel experimental technique 
for high-speed single photon counting that employs cooled thin-film devices. There are a 
variety of commercially available high-speed components for optical classical communica- 
tions {i.e., conveying information in pulses containing very many photons) with 10 GHz 
throughput. This motivates the possibility of carrying out quantum cryptography at the 
same basic clock rate. We have chosen the clock speed of 10 GHz as representative of what 
can be achieved in classical optical communications systems solely with commercially avail- 
able equipment. However, in classical optical communications it is not necessary to count 
individual photons, and in particular not at a rate of 10 GHz. Thus the only additional 
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component required for quantum cryptography at such a clock speed beyond that which 
is commercially available is a suitable means of achieving high-speed single photon detec- 
tion. (Higher system clock speeds would require additional components that are net yet 
commercially available.) Of course, the actual throughput rate that can be achieved will be 
considerably lower than the basic system clock rate, as expected based on the analysis in 
Sections 3 and 4 and as discussed with specific examples in Section 5.3 below. 

In the sections below we describe in more detail the various high-speed components that 
should allow such a system to be implemented in practice. 



5.2.1 Fast Photon Detectors: Hot-Electron Photo-Effect 

It is an essential requirement in achieving high-speed quantum cryptography that we make 
use of a fast data source for the quantum bits transmitted by Alice to Bob. It is necessary 
that the qubit detector apparatus keep strict pace with the rate of qubit generation. There 
are a number of different approaches to the detection of single photons, including the use of 
single photon avalanche diodes, photomultiplier tubes, single-electron transistors and super- 
conducting tunnel junctions. Unfortunately none of these approaches to photon detection 
are ideally suited for the high-speed quantum cryptography system that we propose. We 
require a method to detect individual photons at a wavelength of 1550 nanometers and at a 
sustained rate of 10 GHz, with a suitably high quantum efficiency of detection and a very low 
intrinsic dark count rate. With respect to these requirements various drawbacks characterize 
the existing approaches listed above. These include insufficient sensitivity in the required 
wavelength window, low photon counting rates, requirements for cooling to millikelvin tem- 
peratures, etc. However, recent advances jHEj in work on picosecond response time single 
photon detectors based on the use of superconducting thin films of Niobium Nitride (NbN) 
to exploit the so-called "hot electron photo-effect" suggest that a new approach, well suited 
to the requirements for high-speed quantum cryptrography, can be developed. 

Here we will sketch the main features of the proposed approach. ^^ Hot-electron photodetec- 
tors (HEPs) based on ultrathin niobium nitride films can operate as single-photon counters 
in the wavelength range from below 0.5 micrometers to at least 2 micrometers. The NbN 
single-photon counter is characterized by a high (40%) intrinsic quantum efficiency and 
practically negligible dark counts [01].^° The counting rate is intrinsically limited by the 
electron-phonon interaction time, measured to be 10 picosecond. The response of practical 
devices is further limited by the phonon escape time from the film to the substrate and 
is equal to approximately 30 picosecond ^^. The primary detector element consists of an 



^^AU other elements of our proposed approach to high speed quantum cryptography are based on existing, 
mature technology. High-speed (10 GHz) detection of photons at 1550 nanometers wavelength, however, is 
not an existing, mature technology. We have identified and here discuss an approach to high-speed photon 
counting for quantum communications at telecommunications wavelengths that is very promising, based on 
initial experimental results. 

™ The dark count probability can be estimated to be no greater than approximately e""*" sa 4.25 x 10^^^ 
based on an experimentally measured signal-to- noise ratio of 40 in a given HEP cycle period |H5] . 
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ultrathin (5 nanometers), very narrow (0.2 micrometers) NbN strip, maintained at a temper- 
ature of 4.2 K. Although this low temperature requirement may be problematic for standard 
"long-haul" telecommunications applications, its proposed use here is for the specialized area 
of secure quantum communications for which it is entirely acceptable. In this connection we 
emphasize that the systems we propose, in the case of free space implementations of quan- 
tum cryptography, involve placing the Alice system on the orbiting satellite, so that the Bob 
system, which is where the necessary cryogenic appartus will have to be situated, is either on 
the ground or on an airplane. In either case it is much easier to arrange for the operation of 
the cryogenic system than would be the case if we envisaged placing the Bob system on the 
satellite. In early experiments such detectors have already been demonstrated to be able to 
count individual photons, characterized thus far by a measured response time of 100 picosec- 
onds, which although lower than the theoretically predicted maximum of 30 picoseconds is 
already fast enough to allow photon counting at 10 GHz. The actual PRF of the source laser 
in completed experiments was much slower, pulsing in different experimental setups at a 76 
MHz PRF producing 790 nanometers wavelength light, or at 1 KHz PRF producing pulses 
at wavelengths of 500 nanometers, 1500 nanometers and 2100 nanometers. ^^ In early exper- 
imental results the initial estimated quantum efficiency was determined to be 20%, which is 
not yet as high as the theoretically achievable value. An advantage of the HEP approach to 
single photon counting, apart from the ability to achieve extremely high detection rates, is 
the lack of the so-called "afterpulsing" problem that plagues other approaches. 

The extremely narrow width of the NbN strip in the detecting element necessitates the 
manufacturing and use of long-microbridge and meander structures to increase the active 
area so as to mitigate the "behind-the-telescope" loss discsussed in Section 4.1.4 above. The 
overall design would require the side-by-side placement of a small number of detector "chips," 
on each of which would be affixed a single meander structure of NbN thin film. Each such 
meander structure would incorporate a single input lead and single output lead, so that 
capacitance constraints on the set of chips can be expected to be minimal. 

A fuller discussion of this emerging technology and its application to high speed quantum 
communication will be presented elsewhere 



5.2.2 High Pulse-Repetition-Frequency Lasers 

The state-of-the-art in experimental research in high-speed pulsed lasers {e.g., ^\) makes 
the use of 10 GHz PRF sources a completely realistic possibility, assuming that we can also 
count single photons at the same rate. Commercial fiber mode-locked lasers operating at 
this PRF value are available, making this a very practical instrument to incorporate into an 
actual QC system implementation. 

Recent "heroic" experiments (TO] in which pulsed lasers operating at a PRF of over 450 
GHz have been carried out, demonstrating the possibility that at some point in the future 

^^Work is in progress ^7\ to obtain results at higher PRFs, specifically at 1550 nanometers wavelength. 
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it might be possible to implement a practical QC system operating at a bit cell period of 
2.2 picoseconds if it should prove possible to detect individual photons at the same rate. Of 
course, as we discuss below, the critical difficulty here is to maintain real-time date recording 
at this rate. 



5.2.3 High Speed Opto-electronics Components 

The use of Mach-Zender interferometers that operate at switching speeds of 10 GHz has been 
common in the laboratory for many years. Much recent work has been done on achieving 
substantially higher switching speeds for Mach-Zender interferometers j721IZlllZ3[7n], leading 
to the current situation in which it is should be feasible as such to incorporate 40 GHz devices 
in practical quantum cryptography systems, if photon detection and suitable real-time data 
recording can also be accomplished at the same rate. 



5.2.4 Synchronization Constraints 

As has been proposed and demonstrated elsewhere {e.g., j2]), a bright timing pulse gener- 
ated by a suitable pulsed laser operating at the same PRF as the source laser can be used 
to provide necessary system synchronization across the various components. In the system 
that we envisage for high speed quantum cryptography, the bright timing pulse laser will be 
connected to the 10 GHz system master clock. In addition to this, the stringent synchro- 
nization requirements that are dictated by a high-speed system also require that the master 
clock must be connected via 4- and 10-way splitters to the data recording de-multiplexing 
system, as illustrated in Figures |Ml 1211 and 123 which serves to synchronize the "internal" 
oscillators of the data recording computers to the "external" pulse rate of the Alice laser 
system. 



5.2.5 Data Recording De-multiplexing Constraints 

In considering a practical design for a quantum cryptography system intended to achieve 
high-speed throughput, an important requirement is to isolate the potential "clogging points" 
of the overall scheme. The crucial question is: What is the limiting engineering design issue 
that slows down the system operation? It is clear from all the preceding analysis in this 
paper that, having properly accounted for the many system losses and loads, and assuming 
that very fast photon detection at a suitably high value of quantum efficiency is possible, the 
main "engineering" issue to address is that of keeping proper, error-free, real-time records, 
at both the Alice and Bob ends of the system, of the continuous stream of information, such 
as polarization basis and state information, that must be carried out in order to perform 
the processing required in the protocol. Here we are limited mainly by the current state 
of the art in achieving sufficiently high data bus speeds. The speeds, as such, of the central 
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processing units in the various control computers do not furnish the hmiting constraint here: 
it is essential to keep a running tally of the polarization state of each and every bit cell 
transmitted from Alice to Bob, and to do so without errors. 

In our analysis we will consider a situation in which we are constrained to make use of prac- 
tical data bus devices which can accomodate incoming data at a rate of 250 Megabits per 
second, which is many times slower than the 10 GHz PRF of our proposed laser source/^ 
The solution to this problem is to design a suitable de-multiplexing system that can connect 
these very different rates, making sure to include appropriate error correction capability. 
One possible (although expensive) approach to this problem is to employ existing OC-192 
telecommunications equipment intended to operate at a 10 GHz repetition rate. As illus- 
trated in Figurelini one may envisage employing commercially available OC-192 4:1 DEMUX 
chips in a practical quantum cryptography implementation. These typically include a framer 
to support channelized OC-192 "synchronous optical network" (SONET) and "synchronous 
digital hierarchy" (SDH) traffic and 10 GHz bit error rate testing in various telecommunica- 
tions applications.^^ In the same system one may also employ commercially available 10:1 
DEMUX chips that operate at a repetition frequency of 2.5 GHz. A parallelized set of four of 
these can be linked in sequence to the OC-192 DEMUX unit to achieve a net demultiplexing 
ratio of 40:1, which then produces an integrated output suitable for routing through a 250 
Megabit per second data bus. The data stream would be fed via Gigabit per second ethernet 
link to the data storage components of the system for real-time processing according to the 
QKD protocol. 

The principal objective here is to be able to carry out real-time quantum cryptography, where 
at any given moment during the transmission of qubits a previously transmitted batch are 
being processed. The data recording de-multiplexing solution described above, and other 
approaches to the problem of real-time data recording furnish practical solutions that can 
be implemented entirely with currently existing technology. A more thorough analysis [77] 
of the actual requirements and system details, including a comparison with related real-time 
data recording solutions from both telecommunications and experimental particle physics 
applications can be carried out to demonstrate that this problem can be completely (at 
some cost) solved for practical quantum cryptography systems. 

'^^ Although this rate is also somewhat faster than the bus speeds currently found in typical, commercially 
available personal computers, this apparent incompatibility in fact docs not pose a problem. The effective 
data recording rate is dictated by both the intrinsic bus rate and the width of the bus. Taking both these 
factors into account it is clear that the requirement of 250 Megabits per second is well within the capabilities 
of commerically available high-end personal computers today. 

^•^Thc standard commerical OC-192 bit error rate test units are typically designed to be compatible with 
the SONET family of protocols, which would require that appropriate SONET pattern framing be encoded 
in suitable segments of the bright timing pulse in order to use such equipment "as is" for high speed quantum 
cryptography. Other framing schemes are obviously possible as well. 
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Figure 26: Block Diagram for Data Recording System 
5.2.6 Multiple Transmitter-Receiver Multiplexing Analysis 

Here we outline the methods whereby the throughput of a quantum cryptography system 
can be increased by multiplexing together the outputs of some number of transmitters into a 
common data stream/^ The notion of multibeam transmission has been previously proposed 
for deep space, classical lasercomm applications ^|. Here we extend that concept to the 
area of quantum communications. 

^"'Notc that the "multiplexing" referred to in this section is different than the "(de)multiplexing" referred 
to in the previous section. In the previous section "(de)niultiplexing" pertained to data recording associated 
with a single Alice-and-Bob system, while the in the present section "multiplexing" refers to data transmission 
associated with several Alice-and-Bob systems. 
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To determine what are the throughput possibihties and constraints for any scheme involv- 
ing the poohng together of the output streams of more than one Ahce device we need two 
mathematical relationships: (1) the explicit function that provides a relationship between 
processing block size and the associated computing resource requirements, and (2) the ex- 
plicit relationship between processing block size and throughput rate. We have derived both 
of these in this paper. Together, these two pieces of information allow us to determine the 
relationship between fiducial block size and throughput rate for any individual Alice-and- 
Bob system, as well as for any combination of Alice-and-Bob systems multiplexed together 
with different chosen block sizes. 

The general approach to this problem is as follows: 

• First we establish, for a given single Alice-and-Bob system operating at a specified inverse 
bit cell period r~^, what is the largest allowable processing block size based on the maximum 
computing machine power available using the known relationship between block size and 
computing resources (cf eq. ()28fi|l ). We denote the maximum available computing resources 
(measured in terms of basic computer instructions per second)^^ by CceUmg, and we denote 
the associated processing block size, referred to as the "ceiling" block size, by the symbol 
B ceiling- Thus B ceiling IS the largest possible processing block size on which a single Alice- 
and-Bob system can operate as constrained by the available computing resources. The block 
size Bceiiing IS then used in the known relationship between block size and rate, i.e., the 
equation for the optimal effective secrecy rate (cf eq. ()17H|l ). to determine what the highest 
rate is, constrained by the available computing resources, for a single Alice and Bob setup.™ 

• Second, we examine the consequences of reducing the ceiling block size to some proposed 
smaller size B smaller- Using again the known relationship between the block size and comput- 
ing resources, we determine how many copies of Alice-and-Bob systems can be operated at 
the smaller processing block size without exceeding the overall computing resource constraint 
dictated by the value CceiUng- 

• Third, we again employ the known relationship between the system throughput and 
processing block size to determine the rate that can be achieved by a single Alice-and-Bob 
system operating on processing blocks of the smaller size B smaller- By comparing this with 
the previously determined rate that applies for a single Alice-and-Bob system operating on 
the larger block size Bceiiing , we may obtain the decrease in rate that arises upon replacement 

of Bceiiing with B smaller - 

^^The "maxiiTLum available computing resources" will be determined on a case-by-case basis for the par- 
ticular application that is envisaged. In the case of a free space implementation for which Alice is placed on 
an orbiting satellite, for example, there may be more stringent constraints (dictated at least in part by how 
much computing machinery can be physically fitted on board the satellite) than those that apply when both 
Alice and Bob are on the ground. 

^^We now see explicitly why it is impossible to analyze any such multiplexing scheme by using expressions 
for the effective secrecy capacity and effective secrecy rate that are only valid in the abstract limit of an 
infinitely long cipher. In the infinitely long cipher limit, the transmit block size, which is simply some 
specified number of raw bits mo, completely drops out of the expressions for S and TZ. 
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• Fourth, we combine the above results to obtain the final change in total throughput rate 
that occurs when some number of copies of single Alice-and-Bob systems, each operating on 
processing blocks of size B smaller, are multiplexed together. 

Going through the above steps in detail, we write the expression that relates the general 
block size B to the associated required computing resources C as 

C = C{B) 

= aiB^ + ■■■ 

- aiB^ , (290) 

where the detailed form of this relation, including the explicit value of the leading coefficient 
fli, was derived in Section 4.4.3 above and is given in eq. ()28fij) . It is sufficient for the present 
discussion to note that the computing resources scale quadratically with the processing block 
size. 

We now take as given some fixed amount of computing power that for whatever reason may 
not be exceeded for any implementation, and call this amount CceiUng- Using the above 
equation we find the associated block size, BceUing, determined by: 



^ceiling — ^ \^ceiling) 
ceiling 5 



(^iBceilinq ) (291) 



associated to which we find the largest possible rate for a single Alice-and-Bob system, 

ji (single) 

''^niax = '■<-opt y^ceiling) i \Z,i)Z) 

where we have displayed only the processing block size dependence in the argument of T^opt 
and suppressed all other dependences (c/eq.( 



We now propose a new, smaller processing block size Bsmaiier, that is related to the ceiling 
block size by the reduction factor 6 < 1: 

-'^smaller '■^^ceiling ■ y^jo) 

The computing resources consumed for a single Alice-and-Bob system that employs the 
smaller block size Bsmaiier are calculated to be 

^smaller ^ ^ \^smaller) 
= G [pBceiling) 



•^1" ^ceiling + 
ceiling 



a.b'B^ 



and thus we find 



— ^ceiling ; yZv^j 

^ceiling — " X Lj smaller • \Z,\)Dj 
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Thus, we may simultaneously run altogether as many as b~'^ parallel implementations of 
single Alice-and-Bob systems, each employing a processing block of size Bsmaiier (and thus 
each consuming an amount C smaller of computing resources), and still satisfy the overall 
computing resource constraint dictated by the value CceUing- This can be done simultaneously 
by interleaving the output streams of the individual Alice-and-Bob systems into a common 
stream using any one of several multiplexing schemes, including for instance simple time 
division multiplexing, space division mutiplexing, etc. {e.g., |HD1)-^^ 

To determine the total throughput rate that would be achieved in such a multiplexed system, 
we first determine the rate that applies for a single Alice-and-Bob system operating on the 
smaller processing block 

'^smaller — i^opt [^smaller) , (296) 

from which we deduce the relative rate decrease, r, that characterizes the replacement of 

-^ceiling WIXU -D smaller- 

^ {single) 

r = r°","; • (297) 

^ [single) ^ ' 

I'Cmax 

The main point is that the total throughput rate that can be achieved in the multiplexed 
system will be better than that which can be achieved with a single system operating on the 
ceiling processing block size by a factor of as much as 6~^ x r, if as many as b~^ Alice-and- 
Bob systems operating on blocks of size Bsmaiier are multiplexed together. Depending on the 
competing values of b and r, this can be a quite significant increase in rate, and as long as 
the rate decrease r is larger than O (6^), there will at least be some increase in the rate7^ We 
may now obtain the final throughput rate that will be achieved in the multiplexed system, 

-1^ (multiplexed) „ „ 
'"^max 5 ab 

^{multiplexed) ^ A-2 ^ ^\ ^ 7^(^™/^) , (298) 



where this maximal result specifically applies to the case that a total of 6 ^ Alice-and-Bob 
systems are multiplexed together. 



5.2.7 High Speed Random Number Generation 

Although for the purely passive Bob setup that we advocate there is no need to actively 
generate random numbers with which to associate the successive choices of polarization 
basis, such an active choice may be required at the Alice end of the system. This topic, 
which is of crucial importance to the successful execution of quantum cryptography, cannot 
be discussed in an unrestricted publication and will be treated elsewhere. 



^^Of course, there is a computing resource cost associated to the actual multiplexing implementation, per 
se, but this is very small for the simple time division multiplexing which would be adequate to achieve the 
objective under discussion here. 

^^One may of course choose to multiplex fewer than b~^ Alice-and-Bob systems together, and still achieve 
a (smaller) increase in rate, depending on the actual value of r. 
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5.3 Universal Maximal Rate Predictions 

In this section we make use of the different results obtained in this paper to deduce universal 
bounds on the maximal throughput rates that can be achieved with various quantum cryp- 
tography systems and scenarios. We consider examples of ground-ground, ground-satellite, 
air-satellite and satellite-satellite links. 



5.3.1 Necessary Condition for Unconditional Secrecy 

Although the full derivation of the complete effective secrecy capacity is rather complicated, 
the necessary condition that must be satisfied in order to ensure that Alice and Bob share 
at least some unconditionally secret bits (in the sense of privacy amplification) is extremely 
simple. There will be at least some number of secret bits shared between Alice and Bob if 
the optimal effective secrecy capacity is positive: 

Sopt > . (299) 

If this simple necessary condition is satisfied then we are guaranteed that there will be some 
secret bits, as we have constructed Sopt to account for all system effects, so that there are 
by definition and construction no losses suffered by the system other than those which are 
already incorporated in iSopt. 

Given that the condition in eq. (j299p is satisfied, any quantum cryptography system will 
produce some number of secret bits shared between Alice and Bob. The particular rate at 
which these secret bits are generated will then be entirely determined by the value of the bit 
cell period and by the number of multiple beams, if any, that are multiplexed together. 



5.3.2 Systems with Single Transmitter-Receiver Arrangement 

In this section we consider a number of representative examples of quantum cryptography 
systems to illustrate the throughput rates that can be achieved for the exchange of uncondi- 
tionally secret Vernam cipher material between Alice and Bob. For all of the examples below 
we assume for definiteness that the laser at the Alice end of the system produces pulses of 
light at a wavelength of 1550 nanometers. Although they are not available today, we also 
assume for all but the last of these examples that high-speed HEP photon detectors, of the 
kind described in Section 5.2.1 above, will in the near future be available to count photons at 
a rate of 10 GHz corresponding to a bit cell period r = 100 picoseconds, with a dark count 
per bit cell of 4.25 x 10"^^ (as discussed in footnote 1701 above) . In the last example below 
we will calculate rates based on the use of generic, currently available commercial photon 
detectors capable of detecting photons at a rate of 1 MHz with an assumed dark count per 
bit cell rating of 1 x 10"^. 
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(z) Free Space Quantum Channel: Aircraft-to- Satellite (LEO) Link 

For this example we consider a quantum cryptography setup in which Ahce is located on a 
LEO satellite at an altitude of 300 kilometers above MSL and Bob is located on a platform 
at an altitude that is substantially above the bulk of the atmospheric turbulence, which 
we take to be an aircraft flying at 35000 feet or higher {e.g., such as a suitably modified 
Joint Surveillance Target Attack Radar System (Joint STARS) aircraft). As with the var- 
ious examples given in Section 4.1.3 above, we take the diameter of the aperture of Alice's 
transmitting instrument to be D^ = 30 cm. Inspection of Figure El reveals that in this 
situation the line attenuation will be given by a = —10 dB if we take a value of Db = 58 
cm for the diameter of the aperture of Bob's receiving instrument.™ ^° 

In Figure EH we plot the optimal effective secrecy rate, T^opt, for the above QC system 
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Figure 27: Effective Rate Graph for Aircraft-to-Satellite (LEO) Link: a 
- 58 cm telescope at 35000' ; "Alice" - 30 cm telescope on LEO satellite) 



-10 dB ("Bob" 



as a function of the bit cell period. Inspection of the graph reveals that for a bit cell 
period of 100 picoseconds, corresponding to a laser with a PRF of 10 GHz, and a photon 
detector device efficiency t] of 50%, the maximum rate for the generation of Vernam cipher 

^^This is a realistic value for the size of airborne optics. For example, it is publicly known ISl! that the 
U.S. Department of Defense U-2 and U-2R aircraft have in the past been equipped with the 30-inch (76.2 
cm) Optical Bar Camera, in addition to other sensors. 

^''We emphasize again, as discussed at the beginning of Section 4.1 above, that the line attenuation a is 
not the "total" attenuation suffered by the signal. 
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material is about 57 Megabits per second, ^^ based on a calculated value for the optimal 
mean photon number per pulse of /iopt = 0.455, which is obtained by numerically solving 
eq. ()170|l . This is illustrated in Figure l28| where the (real) solution to eq. ()170|l is plotted. 



For this example we have taken an assumed fractional intrinsic channel error rate value of 

Optimal Value of fxfor Aircraft-to-LEO Satellite Link 




fi (mean photon number per pulse) 

Figure 28: Effective Secrecy Capacity Graph for Aircraft-to-LEO Link:// = 50%; Vc = 0.005 
a = -10 dB (58 cm telescope at 35000' - LEO satellite) 

Tc = 0.005. From eq. (j206|) we see that this value of r^ requires active control of the relative 
angular misalignment between the satellite and the airborne platform so as to restrict overall 
relative motion within a cone of solid angle 
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< 2 arcsin ( VO.005 
= 0.142 radian 
= 8.11 degrees . 



(300) 



This throughput rate is higher than that provided by a standard T3 telecommunications 
link, and in particular is faster than the 45 Megabits per second data rate of the TACLANE 
encryptor system 



We see that for re = 0.01, which (as described in the text below eq. ()206|l ) requires attitude 
control within a cone of solid angle 11.5 degrees, the optimal effective secrecy rate decreases 



^^Due to the assumption in this example that Bob is above most of the atmospheric turbulence we note 
that the rates for this scenario are independent of the slant angle between Bob and Alice. 
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to T^-opt = 49 Megabits per second, in this case for a lower optimal mean photon number per 
pulse value of fiopt = 0.426. If we allow instead for a value of r^ = 0.02, which only requires 
attitude control within a cone of solid angle of 16.3 degrees, we find an optimal throughput 
rate of TZopt = 36 Megabits per second, for /iopt = 0.37. 

If we consider now a photon detector apparatus with a lower intrinsic device efficiency of 
r] = 25%, we find that for a value of Vc = 0.005 the optimal throughput rate drops to about 
21 Megabits per second (for a value of //opt = 0.131), with rate values of about 18 Megabits 
per second for quantum channels characterized by fractional intrinsic error values of either 
1% or 2% (for /iopt = 0.125 and /iopt = 0.122, respectively). Finally, we note that when the 
device efficiency of the photon detector apparatus drops below about t] ^ 5%, there can be 
no unconditionally secret Vernam cipher material exchanged at all between Alice and Bob. 

For all of the above scenarios we have taken a value for the Shannon deficit parameter x of 
X = 1.16 ( cf eq . ()43|) ) . which means that we are assuming that an efficient method of error 
correction has been employed that approaches the Shannon limit to within 16%, and we use 
a raw bit processing block size oi m = 200 Megabits. In addition, we have also set all of the 
continuous authentication security parameter values, Qi, fcf eq. ()152j) ). as well as the privacy 
amplification security parameter Qpa, equal to 30, and we have employed a value of e = 10~® 
for the selectable infinitesimal quantity that determines the success likelihood for attacks on 
single-photon pulses (cf eq. ipnjl and the discussion in the text above eq. pKj) ). 

(ii) Free Space Quantum Channel: Earth-to-Satellite (LEO) Link; clear weather 

For this example we consider a quantum cryptography setup in which Alice is on a LEO 
satellite at an altitude of 300 kilometers and Bob is on the ground at MSL. Unlike the 
previous example, in this scenario the full effects of atmospheric turbulence are important. 
As before we take the diameter of the aperture of the transmit optics to be Da = 30 cm, and 
we see from Figure El that in order to achieve a value for the line attenuation of a = —20 dB 
we must take a value of Db = 50 cm for the diameter of the aperture of Bob's receiving 
instrument. As before, we assume a value for the Shannon deficit parameter of x = 1.16 and 
employ a raw bit processing block size of m = 200 Megabits. 

In Figurel^we plot the optimal effective secrecy rate for this QC system as a function of the 
bit cell period. Inspection of the graph reveals that, for a pulsed laser source with a PRF of 
10 GHz and a photon detector with an intrinsic device efficiency of ?7 = 50%, the maximum 
rate for the generation of Vernam cipher material is now about 1.3 Megabits per second, for 
a calculated value of the optimal mean photon number per pulse of /iopt = 0.131, where we 
have assumed that Tc = 0.005. If we instead consider values of r^ = 0.01 and Vc = 0.02, 
we find corresponding throughput rates of 1.05 Megabits per second and 665 Kilobits per 
second for values of /iopt = 0.125 and /iopt = 0.111, respectively. 

We note that the effective throughput rates drop precipitously if we consider photon detector 
apparatuses with a smaller intrinsic device efficiency of 77 = 25%. In this case we find that, 
for a value of Tc = 0.005 there is a maximum throughput rate of unconditionally secret 
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Vernam cipher material of about 165 Kilobits per second (for a value of fiopt = 0.0898), and 
for a value of r^ = 0.01 the maximum rate is about 105 Kilobits per second (for a value of 
Z^opt = 0.0848). Poorer values for either the detector efficiency t] or the fractional intrinsic 
quantum channel error Tc produce essentially no viable throughput of Vernam cipher material 
at all. 

For the above examples we have assumed "clear" weather conditions for the input to the 
FASCODE runs (as described in Section 4.1.2 above, this is defined as yielding 23 kilometers 
visibility), and we have taken the LEO satellite to be located at zenith above Bob. We have 
also taken values of Qi = Qpa = 30 and e = 10~^. 

In contrast to the previous example in which maximal rates in excess of those characterized 
by T3 telecommunications lines are possible, we see that the effects of atmospheric turbu- 
lence reduce the maximal possible rate for a ground-to-LEO satellite link in clear weather 
conditions to slightly less than that provided by a standard Tl telecommunications line, if 
we make use of a small (50 cm) receiving telescope. ^^ 
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Figure 29: Effective Rate Graph for Earth-to-Satellite (LEO) Link: a = -20 dB ("Bob" - 50 
cm telescope at mean sea level ; "Alice" - 30 cm telescope on LEO satellite; clear weather) 

However, further inspection of Figure El reveals that we may achieve the much better line 
attenuation value of a = —10 dB by employing instead a receiving telescope with an optical 



^^Note that the publicly acknowledged data rate for the radiation-hardened U.S. Department of Defense 
MILSTAR satelHte is that of a Tl link (H3|- 
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aperture of Db = 1-6 m. (Since the Bob apparatus is on the ground in this example, the 
larger size of the receiving telescope optics is acceptable compared to the previously consid- 
ered scenario in which Bob is located on an airborne platform.) In this case, the effective 
throughput rates will be identical to those obtained for the aircraft-to-saltellite link example 
considered above, as we illustrate in Figure EDl^^ Thus it should be possible to establish 
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Figure 30: Effective Rate Graph for Earth-to-Satellite (LEO) Link: a = -10 dB ("Bob" - 
L6 m telescope at mean sea level ; "Alice" - 30 cm telescope on LEO satellite; clear weather) 

between a ground station and a LEO satellite a clear weather quantum cryptography link 
that operates at a rate somewhat faster than that provided by a T3 line when the satellite 
is at the zenith location. (When the satellite drops to the 45 degree declination position 
the value of the line attenuation will change to about a = —11.8 dB, causing a drop in the 
throughput rate.) 
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Free Space Quantum Channel: Earth-to-Satellite (LEO) Link; light rain 



To illustrate the severe link degradation that can spoil a quantum cryptography system in 
the presence of adverse weather conditions, we again consider an example in which, as before, 
Alice and Bob are located, respectively, on a LEO satellite and at a ground station at MSL. 
In this case, we replace the assumption of clear weather conditions with the assumption 



^•^In this example we keep all parameters at the same values used for the calculation of the ground-to-LEO 
satellite link rate with the 50 cm receive optics, except that we use the values for /iopt that we found in 
Scenario (i) above for the aircraft-to-LEO satellite case (because the line attenuation has the same value). 
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of "light rain" conditions. This is quantitatively incorporated in the problem by running 
the FASCODE computer program with the appropriate corresponding input parameters, for 
which "light rain" is defined (as in standard meteorological analysis) as comprising 5 mm per 
hour of precipitation. Numerical results analogous to those displayed in the graph in Figure 
El indicate that if we take the diameter of the aperture of the transmit optics to be Da = 30 

Effective Quantum Cryptographic Tlirougliput of Secret Vernam Ciplier 



l\ 

A 


EARTH- TO- S/kTELLITE LINK 
"Alice" on satellite : :iOcm transmit optics 


LIGHT RAIN 


\ \\ "Bob" at mean sea levfil : 43cm receive optics 

1 A "Cascade" error correction : Shannon exceedence=' 6% 

\ M Contiruous authentication orccessina block size -200(1 Tbits 


tk 








*\ \ A 






re=0.5% ( solid) '_ 
rc=l% ( short dashed) 
rc=2% ( long dashed) 

r^=4.2Sxin"" r.onnts/ nel 1 








O!=-60dB 

45°degree slant angle 




^^^^i;^^ 




• 


ri=25% 


"^^"^ ~~ -— 


l—^^^^^^^^^^TzrZ?^ 


— =-_ - 







IXlO 

bit cell period ( seconds) 



Figure 31: Effective Rate Graph for Earth-to-Satellite (LEO) Link: a = -60 dB ("Bob" - 
43 cm telescope at mean sea level ; "Alice" - 30 cm telescope on LEO satellite; light rain) 

cm and the diameter of the aperture of the receive optics to be Db = 43 cm (slightly smaller 
than, but roughly comparable to, the smaller of the two receive apertures used in Scenario 
(ii) above in the clear weather example), the line attenuation will be given by a = —60 dB 
for a slant angle of 45 degrees. For this scenario we observe a very severe decrease in the 
throughput rate of the system, as can be seen from the results plotted in Figure |^ With 
the parameters Qi, Qpa, e and x set identically to the values taken in the clear weather 
example above, we find that the maximum throughput rate for a ground-to-LEO satellite 
link in the presence of light rain is given by about 5 bits per second for a bit cell period 
of 100 picoseconds and a detector efficiency of 50%, assuming a quantum channel fractional 
intrinsic error of Vc = 0.005 and employing a calculated optimal value of /lopt = 0.00328. This 
drops to a rate of about 2.25 bits per second for a system with a photon detector efficiency 
of 25% and a quantum channel fractional error of r^ = 0.02, corresponding to a value of 
Hopt = 0.0029. Note that, in order to achieve even these low throughput rates it is necessary 
to take a value for the raw bit processing block of m = 2000 Terabits (as opposed to the 
value of m = 200 Megabits employed in the previous examples). Smaller values for the raw 
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bit processing block do not yield any shared secret Vernam cipher material at all, due to the 
very severe degradation to the quantum channel caused by the rain. Although the use of such 
a large processing block can in principle be arranged so as not to introduce a larger classical 
communications bandwidth requirement between Alice and Bob,^^ a processing block of this 
large size is nevertheless not realistic for satcom quantum cryptography applications. This 
is because the physical size requirements on the memory that Alice must utilize to accept 
such a large raw bit processing block are incompatible with typical satellite space (and power 
and cooling) constraints.^^ Furthermore, without monitoring of click statistics by Bob it is 
impossible to achieve any viable throughput in this scenario, so that we have made use of the 
appropriately modified form of the privacy amplification function in computing these rates 
(cf eg. (jSip ). wherein the the leading term is down by a factor of rj compared to the version 
without monitoring of click statistics. In addition to the preceding, we have also had to 
employ a slightly modified value of ze (/i) ( cf eq.^7\i) to achieve even these rates: following 
the discussion in the text between eqs. (|57|) and (|58p . we have (in this example only) assumed 
that the enemy is unable to achieve the full strength direct attack implied by eq.(|57|). which 
varies as ze (/i) = ^^/i'^ + O (yU^), and instead taken a value of one-third of this, so that 
in the corresponding privacy amplification function we have z^; (/i) = ^fi^ + 0{^^). Of 
course, it would be possible to achieve higher throughput in the presence of adverse weather 
conditions by employing a larger aperture for the receive optics at the Bob site (modulo 
the above-mentioned concerns regarding physical constraints on memory that can be placed 
on a realistic satellite). If we instead use a receiving telescope with an optical aperture of 
Db = 1.4 m we obtain the better line attenuation value of a = —50 dB. The results for 
this case are illustrated in Figure |221 inspection of which reveals a maximum throughput 
rate of 164 bits per second for a detector efficiency of 77 = 50%, a bit cell period of 100 
picoseconds, a quantum channel fractional error of Tc = 0.005 and at a calculated optimal 
value of yUopt = 0.0106 with a slant angle of 45 degrees. 

{iv) Free Space Quantum Channel: Earth-to- Satellite (LEO) Link; moderate rain 

In the presence of "moderate rain," which is defined for FASCODE runs as comprising 12.5 
mm per hour of precipitation, the line attenuation a becomes much worse, never any better 
than -76 dB even for a LEO satellite located at zenith above the ground station with a 
receiving optics aperture of Db = 1.6 m diameter. In this case the only means of producing 
any shared, unconditionally secret Vernam cipher at all is to increase the processing block 
size to a value which is not practical for currently available computing machinery that can 



**The communications load in bits per second is actually smaller for a larger raw block size, toq, provided 
the sifted block size, no, does not change. This may be understood on the basis of two observations: the 
number of transmitted bits per block is roughly linear in the size of the sifted block and depends only 
weakly on the size of the raw block, and the amount of time available to carry out the transmission increases 
linearly with the raw block size. The communications load then varies roughly as no /mo, which decreases 
with increasing mo at constant no. 

*^A rough estimate based on the characteristics of currently available memory modules indicates that such 
a processing block would require enough space on the satellite - for the memory alone - to accomodate a 
large vehicle such as a truck. 
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Figure 32: Effective Rate Graph for Earth-to-Satellite (LEO) Link: a = -50 dB ("Bob" - 
L4 m telescope at mean sea level ; "Alice" - 30 cm telescope on LEO satellite; light rain) 

be fitted on a satellite. 

(v) Free Space Quantum Channel: Earth-to-Satellite (GEO) Link; clear weather 

We now consider the example of a ground-to-GEO satellite link. Thus, we assume that Alice 
is located on a geosynchronous satellite above the Earth at an altitude of 35783 kilometers 
(22236 miles) above mean sea level. In order to achieve a viable effective throughput rate 
of Vernam cipher material we envisage for this scenario that Bob is located at a sufficiently 
high altitude so as to mitigate somewhat the effects of atmospheric turbulence. Unlike the 
example of the aircraft-to-satellite link considered above, we here want to describe a situation 
in which there would be a more-or-less permanent link between the Bob and Alice, so that 
Bob should be located at a ground receiving station. An important point here is that the 
GEO link should be available for a much more extended period of time that is the case for the 
LEO link, which would provide access for a roughly nine minute period before the satellite 
drops below the horizon visible to Bob. Thus, we may hope to achieve effective, integrated 
throughput values that are higher in the GEO link case than in the LEO link case. 

For this computation we have taken the parameters Qi, Qpa, e and x as in the previous 
examples, but we now choose a value oi m = 2 Gigabits for the raw bit processing block 
size. Unlike the example of the Earth-to-LEO satellite link in the presence of light rain, for 
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which it was necessary to take a much larger value for the raw bit processing block size, 
this value imposes no practical difficulties regarding either communications bandwidth or 
physical space requirements for memory size on the satellite. We do adopt, however, as in 
the example above of the Earth-to-LEO satellite scenario, the assumption that Bob actively 
monitors click statistics, and we use the corresponding privacy amplification function for 
the direct attack as a result. Without the use of the form of the privacy amplification 
function associated to active click statistics monitoring by Bob, no viable throughput can 
be established for the Earth-to-GEO satellite link.®^ An important requirement to achieve 
viable throughput is to employ a sufficiently large receiveing telescope aperture, since the 
line attenuation due to the spreading of the beam is otherwise completely prohibitive. 

For this example we envisage a receiving telescope with an effective optical aperture of 10 
meters. Although this is a very large optical instrument, this size of receive aperture is 
characteristic of what has been proposed in the literature [ZHj for use in optical communica- 
tions for deep space missions (coincidentally, such proposals for classical optical deep space 
lasercomm have also incorporated 30 cm transmit optics), and this is also available at the 
Keck Telescope Facility on Mauna Kea mountain in Hawaii at an altitude of 13500 feet. For 
the purposes of this example we will imagine that Bob is located at such a site and has 
access to such an instrument. In this case the line attenuation a can be calculated using 
eq. ()204|) and is found to be given by a = —26.4 dB, and we use this value in the numerical 
evaluation of T^opt- In Figure ESI we plot the optimal effective secrecy rate that characterizes 
such a ground-to-GEO satellite quantum cryptography system. Inspection of the curves in 
the graph reveals that, with a laser PRE of 100 picoseconds, a photon detector device effi- 
ciency of ?7 = 50% and a value for the quantum channel intrinsic error of Vc = 0.005, such 
a system should achieve a throughput rate of about 240 Kilobits per second, for a value 
of /iopt = 0.0891. This throughput rate, which should be essentially continuously available 
since Alice is on a GEO satellite, is roughly one-sixth the rate of a standard Tl telecom- 
munications link.^^ The important point is that, as mentioned above, such a link would 
be available for more than the approximately nine-minute period provided by a LEO link 
prior to the disappearance of the latter type of satellite below the horizon, thus potentially 
providing a comparable (or higher) effective integrated throughput value compared to the 
latter. If we now consider a photon detector with a lower device efficiency given by 77 = 30%, 
we find (again for an intrinsic channel error value of r^ = 0.005) an effective throughput rate 
of about 118 Kilobits per second (for a value of /^opt = 0.0884). 

(vi) Free Space Quantum Channel: Satellite-to- Satellite (GEO-to-GEO) Link 

It is interesting to consider the possible use of quantum cryptography for satellite-to-satellite 
communications. There are a wide range of scenarios that might be considered: to illustrate 



^^We do assume that the enemy can mount the strongest possible direct attack, as measured by ze (/i) 
given in ea. (|57|l . 

^^Note that this rate is approximately equal to the throughput rates currently available for the "Mobile 
Subscriber Equipment" (MSE) and "Tri-Service Tactical Communications" (TRITAC) systems, employed 
by the U.S. Army and U.S. Air Force/U.S. Marine Corps, respectively. 
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Figure 33: Effective Rate Graph for Earth-to-Satellite (GEO) Link: a = 
- 10 m telescope at 13500' ; "Alice" - 30 cm telescope on GEO satellite) 



-26.4 dB ("Bob" 



the general problem we will only briefly discuss a GEO-to-GEO satellite link. We will take 
a very simple model of a three-satellite constellation set up to provide a combined footprint 
covering most of the Earth (with the exception of the polar regions), here for simplicity 
assumed to be situated at 120 degree angles with respect to each other. Assuming a GEO 
altitude of 35783 kilometers and noting that the radius of the Earth is 6378 kilometers, we 
consider a satellite-to-satellite crosslink distance of about 48683 kilometers (30250 miles). It 
is clear from the previous example that the line attenuation due to beam spreading will be 
even larger here than for the Earth-to-GEO scenario. In order to achieve useful throughput 
values this large amount of line attenuation would presumably require that the Bob satellite 
be equipped with a receiving instrument that has an effective optical aperture of at least 
10 meters in size, which is considerably larger than the 2.6 meter aperture of the Hubble 
Space Telescope. It might be possible in the future to obtain such an effective aperture for a 
spaceborne light-collecting instrument. In this connection the U.S. National Aeronautics and 
Space Administration (NASA) has recently announced the "Gossamer Spacecraft Initiative" 
[Ml IH3] which is intended to result in a spaceborne telescope with an effective aperture of 
50 meters or more in size. Although this initiative is still in the earliest planning stages, 
such an instrument could be used for quantum cryptography as well as astronomical research 
activities. 
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(vii) Fiber Optic Quantum Channel 

In this example we consider a fiber-optic cable implementation of quantum cryptography. 
We envisage for this example the use of high-quality, polarization-preserving fiber charac- 
terized by an intrisic attenuation characteristic of 0.2 dB per kilometer, and for purposes 
of illustration compare the associated throughput values with results for lower quality fiber 
with an attenuation characteristic of 0.3 dB per kilometer. We take the photon detector 
device efficiency to be 77 = 50%, and we assume that appropriate splicing and insertion of 
suitable dispersion-compensating fiber segments, as discussed in Section 4.2 above, has been 
carried out so as to mitigate the dispersion losses described and analyzed there. To account 
for the associated splicing loss and other system imperfections we assume that the quantum 
channel is characterized by a total bulk loss of -5 dB, in addition to the losses associated 
with the attenuation per unit length. 

In Figure ins we plot several effective secrecy rate curves for this system. In this example, we 
compute throughput rates in the case that the cable remains untouched by the enemy. We 
see that, for a good quality cable with an attenuation characteristic of 0.2 dB per kilometer 
and an intrinsic channel error value of r^ = 0.01, the rate to a distance of 10 kilometers along 
the cable should be at least as high as about 115 Megabits per second, whereas for a cable 
with an attenuation characteristic of 0.3 dB per kilometer (and the same value for r^) the 
corresponding rate should be at least as high as about 88 Megabits per second (in each case 
using a value of /iopt = 0.4). We note that, for any of the illustrated parameter values, ^^ 
for the cable with the attenuation characteristic of 0.3 dB per kilometer any exchange of 
unconditionally secret Vernam cipher material beyond about 33 kilometers is impossible. 
For the higher- quality cable with a loss characteristic of 0.2 dB per kilometer, throughput 
of at least some number of secret key bits is just barely possible to the 50 kilometer point 
in the case of a low error value of Tc = 0.01. 

We now consider the case that the enemy has somehow been able to surreptitiously replace 
the cable with one which is effectively lossless. In Figure!^ we plot several effective secrecy 
rate curves for this system. We see that, for a good quality cable as above with an attenuation 
characteristic of 0.2 dB per kilometer and an intrinsic channel error value of Vc = 0.01, the 
rate to a distance of 10 kilometers along the cable should drop to a value at least as high as 
about 29 Megabits per second, whereas for a cable with an attenuation characteristic of 0.3 
dB per kilometer (and the same value for r^) the corresponding rate should drop to a value 
at least as high as about 20 Megabits per second (in each case in this example we use a value 
of /iopt = 0.1). We note that, for any of the illustrated parameter values, for the cable with 
the attenuation characteristic of 0.3 dB per kilometer any exchange of unconditionally secret 
Vernam cipher material beyond about 24 kilometers is impossible. For the higher-quality 
cable with a loss characteristic of 0.2 dB per kilometer, throughput of at least some number 
of secret key bits is just barely possible to the 36 kilometer point in the case of a low error 
value of rr = 0.01. 
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We display curves with values of r^ = {0.01, 0.02, 0.03, 0.04, 0.05}. 
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Figure 34: Effective Rate Graph for Fiber-Optic Cable Link without Surreptitious Cable 
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Free Space Quantum Channel: Aircraft-to- Satellite (LEO) Link; 1 MHz Photon Detector 



In the above examples we analyzed the throughput rates that will be available with the 
potential development in the future of high-speed photon detectors capable of counting 
photons at a rate of 10 GHz. Here, we compare the rates predicted for the aircraft-to-LEO 
satellite link considered in Figure EH with the effective throughput rates of unconditionally 
secret Vernam cipher that are possible with the use of a "generic" commercially available 
photon detector capable of counting at a rate of 1 MHz, with an assumed value of r^ = 
1 X 10"^ 

In Figure EEl we plot curves corresponding to those shown in Figure EZl The various en- 
vironmental conditions are taken to be identical here as for the previous case, so that the 
various values for /Xopt are identical for each curve (the replacement of r^ = 4.25 x 10~^^ 
with r^ = 1 X 10~^ makes a negligible change in the solution to the optimization equation, 
eq. ()170p ). We find that the new rates reflect the simple, inverse dependence of IZopt on the 
bit cell period r: the highest rate possible in this scenario is about 5700 bits per second for a 
good photon detector with a quantum efficiency of 50% and a high quality quantum channel 
with Tc = 0.005, with various lower rates for the other combinations, as expected. The case 
of r/ = 25% and r^ = 0.01, which is more realistic, yields a highest possible rate of about 
1760 bits per second. 
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Figure 35: Effective Rate Graph for Fiber-Optic Cable Link with Surreptitious Cable Re- 
placement 

5.3.3 Systems with Multiple Transmitter-Receiver Arrangement 

The rates presented in the preceding section were calculated based on the assumption that 
the Alice-and-Bob systems comprise a single transmitter and receiver combination. In con- 
sidering how the data throughput rate may be increased by multiplexing together a number 
of Alice-and-Bob systems, we may make use of the analysis presented in Section 5.2.6. It 
is possible to show that in various situations the effective system throughput rate can be 
increased by making use of a suitably multiplexed multi-beam transmission, just as is done 
in classical lasercomm systems [7T| I72j. An analysis of the various rate improvements that 
are possible through the use of the multiplexing technique described in Section 5.2.6 above 
will be presented in a future paper [77] . 



5.3.4 Rate Improvement with Additional Emerging and Possible Future Tech- 
nology 

A number of other emerging commercial technology developments, as well as research efforts 
that are currently underway, may provide additional means to achieve and improve the overall 
performance characteristics of high speed quantum cryptography systems in the future. 
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Figure 36: Effective Rate Graph for Aircraft-to-Satellite (LEO) Link: a = -10 dB ("Bob" - 
58 cm telescope at 35000' ; "Alice" - 30 cm telescope on LEO satellite; commercial (1 MHz) 
photon detector) 

An emerging commercial technology area that may find useful application in high speed 
quantum cryptography systems in the future would be the incorporation of tiny, fast mir- 
ror switches, such as the mirror components in the recently introduced Lucent WaveStar 
LambdaRouter jHn]. The incorporation of these small optical components in networked 
systems, extending the application of quantum cryptography to allow for integration into 
existing, multi-node communications architectures, is an area that has not been thoroughly 
studied. 

A promising research activity currently supported by the U.S. Defense Advanced Research 
Projects Agency (DARPA) is a project called "Steered Agile Beams" (STAB) conducted 
by the U.S. Air Force Research Laboratory, which is intended to develop chip-scale laser 
beam control components for a number of applications [SZl . If successful, this work should 
in particular benefit applications that depend on adaptive optics to correct for the types 
of atmospheric-induced losses that were considered and calculated in detail in Section 4.1 
above. 
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6 Discussion 

We have carried out a detailed analysis of the various processes and constraints that de- 
termine the operating characteristics of a practical quantum key distribution system. This 
analysis applies generally to quantum cryptography systems built entirely from currently 
available commercial technology. Our results also allow us to establish the requirements 
that need to be satisfied in order to execute practical, unconditionally secret high-speed 
quantum cryptography in actual physical environments. An important objective has been 
to determine the extent to which it is possible to increase system throughput rates to high 
values for actual quantum cryptography systems. Insofar as is possible, we have been guided 
by the desire to achieve this solely with mature, currently available commercial technology. 
Based on the results of our analysis, we have proposed a general quantum cryptography 
design that meets this criterion, with the only system element that is not available today 
as mature technology identified as the necessary fast photon detection apparatus. We have 
mathematically shown that it should be possible to achieve high-speed transmission of se- 
cret Vernam cipher throughput in various scenarios with sufficiently fast photon detectors 
that can operate at a speed of 10 Gigabits-per-second, and we have identified HEP pho- 
ton detection as a promising approach to solving this technological problem. Although our 
calculations show that, due to the extremely large losses and loads that characterize and con- 
strain any practical QC system even this very high speed of photon detection will not suffice 
to achieve Gigabit-per-second throughput values for a single beam arrangement, a properly 
multiplexed multiple beam architecture should be able to achieve rates approaching this. 

Added Note: In the earlier versions of this paper it was asserted without proof that the 
attacks considered in our analysis, namely, direct {i.e., unambiguous state discrimination or 
"USD"), indirect (i.e., photon number splitting or "PNS") and combined (hybrid PNS and 
USD), exhaust all possible individual attacks. In our paper we defined individual attacks 
as "those attacks that do not require that the enemy apply unitary transformations to the 
intercepted state with a quantum computing device" (c/ Footnote 33). Adhering to this 
notion of individual attack, in this revision of our paper we retract our unproved assertion 
that the three aforementioned attacks exhaust all possible individual attacks. We thank 
Professor Jeffrey Shapiro for having first pointed this out to us (Private communication, 
21 November, 2000.) What we do assert is that our attack analysis (contained in Chapter 
3) furnishes a general comparison of the relative strengths of direct, indirect and combined 
attacks, subject to the specific conditions prescribed in the text (such as the condition 
that the enemy cannot manipulate the detector efficiency). As shown in Chapter 3, we 
demonstrate that the combined attack is never the best choice, and our analysis determines 
the circumstances under which indirect (PNS) or direct (USD) constitute the stronger attack. 



164 



7 Acknowledgements 

The members of the MITRE Quantum Information Processing Group, including A. Donadio, 
M. Drake, R. Ewing, J. Guttman, P. Henry and J. Thayer are thanked for many useful dis- 
cussions and comments, with special thanks to A. Donadio for carrying out the FASCODE 
computer simulations and to R. Ewing and J. Guttman for specific helpful contributions to 
the research reported in this paper. J. Babcock, T. Elkins and R. Fante are thanked for 
reading the draft version of this document and for providing various helpful suggestions. M. 
Visser (Washington University in St. Louis) is thanked for several discussions and for carry- 
ing out the calculation in Appendix A. The authors wish to thank R. Sobolewski (University 
of Rochester) and I. Duling, III (U.S. Naval Research Laboratory) for useful discussions 
and comments. The authors also wish to thank particular employees of the U.S. National 
Security Agency for helpful comments and questions. GG in addition wishes to thank Ja. 
F. Providakes and Ji. F. Providakes for encouragement, and especially D. Lehman and 
the MITRE Technology Program for supporting this work and helping him to establish the 
MITRE Quantum Information Processing Group. 



165 



8 Appendices 

A Derivation of the Relation between Intrinsic Chan- 
nel Error and Polarizer Misalignment 

In this section we shall develop for the case of a free-space implementation of quantum 
cryptography an explicit estimate for Tc, the intrinsic channel error rate. The most obvious 
of the problems that could lead to intrinsic channel error are due to the misalignment of the 
polarizers: if they are not quite at 45 degrees or 90 degrees the analysis of the protocol must 
be altered; we now proceed to perform such an analysis in terms of the angular mismatch of 
the polarizers. 

Suppose we have two polarizers, one at the emitting end and one at the receiving end, that 
are rotated with respect to each other by an angle A^. Then the probability that a photon 
will get through the second, given that it gets through the first (and so be detected if it is 
emitted in the first place) is given by Malus's law: 

Prob(A^) = cos2(A^). (301) 

In the situation we are interested in, the photon is emitted in one of four polarization states, 
conventionally at roughly 0, 45, 90, or 135 degrees, {6 G {0, 7r/4, 7r/2, 37r/4}: we shall denote 
these nominal states by ^->, /^, |, \ respectively) with roughly equal (classical) probabilities 
of ~ 1/4. Call the actual probabilities p\ (here e stands for emission; i stands for one of the 
four orientations), and call the actual angles the emission polarizers are set at 9],. 

Now call the actual angles the reception polarizers are set at 6'*; and the actual probability 
that the reception polarizer is set to this position p\. 

The probability that the detector actually sees a photon if it is at a particular setting 9], is 

Prob (detect at i) = ^ p'^ cos^{9i - 91). (302) 

j 

(We note that, if all values are nominal so that p^. — > 1/4, A9 G {0, 7r/4, 7r/2, 37r/4}, this 
reduces to Prob(detect at i) -^ |, independent of i, as it should.) 

If we now average over all detector settings, the probability of detecting a photon is 

Prob (detect) = E E Pe pI cos\9i - 91) . (303) 



This is rather complicated in general. We now consider a useful special case by assuming that 
the probabilities are nominal, so that pl = pl = 1/4, and that the reception and emission 
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polarizers are each perfectly aligned internally, with at most a relative mismatch of S. That 



is: 



and 

Then we find 



9ie{0,n/4,7i/2,3TT/4} (304) 

^^ G {0 + 6, 7r/4 + 6, 7r/2 + 6, 37r/4 + 6} . (305) 

Prob(detect) = (1/4) ■ (1/4) ■ 4 ■ 

cos^{5) + cos^(7r/4 + 5) 



+ cos^(7r/2 + 5) + cos^(37r/4 + 6) 



(306) 



so that 



Prob(detect) = (1/4) [cos\5) + cos'(7r/4 + 5) + sm'{5) + sin'(7r/4 + 5) 

= I- (307) 

This is exactly the same as if there were no angular mismatch, so we do not lose here, 
but this is only the "raw" rate before any processing. The next step proceeds as follows. 
If Bob detects a photon and knows that the receiving polarizer is at angle 61, he may 
query Alice as to whether her polarizer was nominally set at P+ = {0,7r/2} = {^-^, |} or 
Px = {^/4, 37r/4} = {y, \}. When 61 as used by Bob is in the same nominal polarization 
class as {P^ or P^ ) as the bit sent by Alice, Bob keeps it, and otherwise discards it, attributing 
it to a case of crossed polarizers. Doing so nominally throws away half the received bits. 

If we allow pI to deviate from 1/4, the probability that Bob keeps the received bit (received 
at 61) is then given by summing the probabilities that this bit was sent when Alice had her 
polarizers at one of the nominally compatible positions: 

Prob (keep at i detect at ij = ^ pi 9(j compatible with i) . (308) 

3 

(Here G is 1 or depending on whether the polarizer orientations are compatible or incom- 
patible.) 

To be more explicit, we may write 

0(1, 1) = 0(1, H = 0(--, I) = 0(--, H = 1 , (309) 

0(/', /) = 0(/, \) = 0(\, /) = 0(\, \) = 1 , (310) 

0(1, \) = 0(1, \) = 0(--, \) = 0(--, Z) = (311) 
and 

0(\, I) = 0(\, H = 0(/, I) = 0(/, H = . (312) 
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This can be made more compact by defining the simple function: 

p:{--,/4,\}^{+,x} (313) 

so that in terms of the ordinary Kronecker delta one has 

9(i compatible with j) = (5p(j)p(j) , (314) 

and thus 

Prob (keep at i detect at ij = ^ pi 5p{i)p{j) ■ (315) 

3 

Note that this is independent of the actual mismatch angles, and depends only on a priori 
conventional decisions of what constitutes a nominal match or mismatch of the polarization 
orientations. (We note that if all p^ = 1/4 we have Prob(keep at i \ detect at i) -^ (1/4) ■ 
(1 + + 1 + 0) = (1/4) -2 = 1, which is independent of i as it should be.) 

Now, the key step addresses the question: What is the probability that an error is made in 
this last negotiation? 

An error occurs if, despite the fact that Bob and Alice agree on the nominal polarization 
class (P+ or Px ) they disagree on the value of the bit that was transmitted. This happens 
if 9e 7^ Or but 9e and Or are in the same polarization class. (That is, 6e ^ Or i: 7r/2; we will 
write this as Oe = Crossover (^r), meaning pick the other supposedly orthogonal element of 
the polarization basis.) This is explicitly given by: 

Crossover (e^[^]) = O^H] , (316) 

Crossover (^,[/]) = O^W] , (317) 

Crossover (^,[t]) = Oe[^] (318) 

and 

Crossover (^,[\]) = ^e[/] • (319) 

The probability of such an error occurring is then: 

keep at i) = cos'^iOl - Crossover (^^)) . (320) 



Prob (error at i 

The easiest case to deal with is when the emitting and receiving polarizers are each internally 
properly aligned, and the only mismatch is due to an overall rotation between the two. (We 
have already seen that in this case Prob(detect) = ^ and Prob(keep) = | are unaffected.) 
Recall that now we have as exact statements that: 

Or e{0, 71/4,71/2,311/4:} (321) 

and 

Oee{0 + S, 7r/4 + S, 71 /2 + S, 37r/4 + 6} . (322) 
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In this situation 

Crossover (^^) = ^^ + 7r/2 + 5 , (323) 

and the probabihty of error is independent of i and equals 

Prob (error keep) = cos^(7r/2 + 6) = sin^(5) . (324) 

In particular, even if 6 is as big as 1/10 radian (5.7 degrees), the probability of error is less 
than 1%, which is a very useful result, as this amount of airborne platform attitude control 
is easily achievable in practice. 

We now consider the completely general case with arbitrary values for the system angles. 
We already have 

Prob (detect) =Y,J2 pLpI cos''{e{ - 61) . (325) 

« i 
In the same way we find 

Prob (keep) = ^ p^ Prob (keep at z) (326) 

i 

= ^p^ Prob (keep at i detect at i\ Prob (detect at i) (327) 

i 

= EK. (X P^e 5p«P0)j (e Pe ^os\9i - ei)\ . (328) 

We also have 

Prob (error) = y^p^ Prob (error at i) (329) 

i 

= E^r Prob (error at i keep at ij 

i 

xProb (keep at i detect at ij Prob (detect at i) (330) 

= E^r (cos^(^r-Crossover(e;.))) IE Pe<^pWpO) 

^ (y. P^e ^os\ei - ei)\ . (331) 

Although these expressions are rather complicated and too cumbersome to be analytically 
useful, they do have all the correct limits. The important point is that with the application of 
suitably high quality design control the possibility of intrinsic mismatch should not constitute 
a high priority issue. 

Thus, the final, practical result for actual systems is given by eq. ()324j) : The fractional error 
rate due to net polarizer misalignment is given by 

Tc = sm^{5) (332) 

as presented in the text in eq. ()206p . 
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B Packetization Approximation 

Consider a message of length M bits. Applying an error correction code to the message 
results in a string of length xec bits. If the communications protocol supports data frames 
of length ?72p, then the number of packets transmitted is 



M ■ 



XecM 



rrip 



(333) 



All packets but the last are of length nip + fo, where fo is the frame overhead of the com- 
munications protocol. The last packet is shorter, due to the fact that its data frame is not 
full, but contains only {xec'M) mod nip bits. The total number of bits in the transmission 
is then 

C={nip + Q ^^^ + ixEcM) mod nip + f^V {xecM, nip) , (334) 



nip 



where 

P(a, 6)^|'^^""^°;|?^°. (335) 

^ ' ' [on a mod 6 = ^ ^ 

The idea of the packetization approximation is to simplify this expression for large numbers 
of packets so as to avoid the mathematical complication introduced by treating the last 
packet as a special case. We begin by writing the identity 

XecM = m„ + (xecM) mod m„ , (336) 

L nip -I 

from which it follows that 

XecM i ^ XecM _ (xecM) mod nip 
- nip -I nip nip 

Substituting this in eg. ()334|1 gives 



XecM ^_ ^ ^ ^ (xecM) mod nip 



C = {nip + fo) {nip + fo) 



nip nip 



+ {XecM) mod nip + foV {xecM, nip) 
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l + —]xEcM + f, 



V {XECM, ITlp) - 



{XecM) mod nip 



rrir. 



(338) 



The quantity in square brackets is always in the range [0, 1), so that 



fo 



VixEcM, rup 



(XecM) mod rrip 



nir, 



<fo 



(339) 



If the message is long enough to require several packets, that is, if 



XEcM 



» 1 



nir. 



(340) 



then 



/o « /.^^ <(l + ^] XEcM 



Vflr. 



rrir. 



(341) 



which, with eq. (|339p . gives 



fo 



V ixEcM, rrip) - 



{XecM) mod nip 



rrir. 



« 1 



fo 



nir 



XecM . 



(342) 



We may therefore neglect the term in square brackets in eq. ()338|) to obtain 



fo 



C ^ 1 + ^ XEcM 
\ nir, 



(343) 



which is valid as long as eq. ()340p is satisfied. 



C Statistical Results for Error Correction 



The length of the entire sifted string is n. The number of errors in the string after the ith 
iteration of the error detection and correction step is denoted by e^^ , and the number of 
errors before error correction begins is 



(0) _ 



(344) 
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Each iteration of the error detection and correction step begins by breaking the string into 
blocks such that the expected number of errors in each block is less than or equal to the 
parameter q. The number of blocks in the string is then 



jd) 



(i-i) 

6'T' 



(345) 



and the average number of bits per block is 



n 






(346) 



We wish to find an expression for the number of errors remaining after each iteration, from 
which the other parameters of interest can be obtained. At the beginning of the ith iteration, 
there are e^~ errors distributed among J^^^ blocks, so that the probability of a given error 
being in a particular block is 



V (one specific error in a given block) 



J(0 



Ai-i) ■ 



(347) 



The probability of / errors occurring in a given block is given by a binomial distribution: 



V {I errors in a given block) 



I 



(i-1) 
^ ^7^ 



(i-i) 



„(i-l) 
°T 



(348) 



If the number of errors, and thus the number of blocks, is large, this can be approximated 
by a Poisson distribution [SH] as follows: 



V {I errors in a given block) ~ e ^-r 



(349) 



The parity check will reveal an error in the block if and only if there is an odd number of 
errors in the block. The probability of detecting an error is thus 



V (finding an error in the block) ~ e ^ ^ 



~ g^ 



(350) 



odd 



To find the sum over odd /, note first that 



1=0 ''■ 



(351) 
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and 



oo / 

E(-i)'f 



(352) 



so that 



I odd '■• 



(353) 



or 



~ ^' 1 



E 

i odd 



/! 2 



e' - e"^ 



(354) 



and eq. ()35Up becomes 



V (finding an error in the block) 



1-e 



-2s 



(355) 



The expected number of errors found in the ^th iteration is then 



^ 2 



(i-i) 



1) 1 - e-2^ 



2^ 



(356) 



The number of errors remaining after the zth iteration is 



(0 — 



(»"1) Ai) 



T 



1 - e"2e 



2f? 
e« (^f? - 1 + e 



-2s-' 



2q 



(357) 



The quantity in parentheses is a function of q only. We introduce the notation 
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..H^-ii^, (35, 



in terms of which eq. ()H57j] becomes 



.W ^ /?.(^-i) 



pe^T ' . (359) 

We proceed by induction to obtain the number of errors remaining after the ith iteration in 
terms of the initial number of errors and /5, which is a function of the parameter g introduced 
to estabhsh the block size for error detection: 

e? ~ f3'e? . (360) 

The number of errors found during the ith iteration is then 



1.(0) 



€■ f Grp ^rp 



~ {l-p)(3'-'e'T' . (361) 

The number of blocks for the zth pass is approximately 



J^-i) 

Q 
,(0) 



Q 



~ P'-^-^ , (362) 



and the number of bits in a block is 



fc« - — 



gn 



p^-^e. 



1.(0) 



(363) 



The error detection and correction step ends when there would be two or fewer blocks for 
the subsequent iteration. The number of iterations completed, A''i, thus satisfies 

J(^i+^) < 2 , (364) 
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or 



/9 






< 2 



Q 



(365) 



so that 



^ - JO) 



(366) 



and, since P < I, 



N, 






(367) 



The expected number of errors remaining after this step is then 



,W 



^i„(0) 

On 



(3 Crp 

2g. 



(36^ 



We next estimate the number of iterations in the vahdation step. Each iteration detects 
either a single error or no errors. Let iVg denote the number of iterations in which no error 
is detected, and let iVg denote the number of iterations in which an error is detected. The 
iterations continue until there are N2 successive iterations in which no error is detected. 



First we find N2 , 



which can be written 



N. 



(n) 



00 
1=0 



{l)V {I residual errors) 



(369) 



where iV*^"^ (/) is the expected number of error-free iterations when there are initially / errors. 
We find this by induction. If there are no errors, no iterations will detect an error, and the 
process will end after N2 iterations: 



iV(") (0) = N2 



(370) 



If there are I + 1 errors, then one of two things can occur. There may be N2 successive 
iterations without errors, or an error may be detected on the iteration following A^ error-free 
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iterations, where < A^ < A^2 — 1- If an error is found, the process repeats from a starting 
point of / residual errors. This gives the following recurrence relation: 



iV^"' {I + 1) = N2V (N2 successive error — free iterations 



/ + 1 residual errors 



A'2-l 



y^ IN -\- JV*-'"^ (/) V (N successive error — free iterations 



N=0 



■V { 1 error — detected iteration 



/ + 1 residual errors) . 



/ + 1 residual errors 
(371) 



We need to find several probabilities to make use of this formula. We begin by investigating 
the probability of an error-detected iteration given / residual errors. The error detection 
algorithm first builds a block of bits by selecting bits from the original string at random. 
The parity of the block is computed, and an error will be detected if there is an odd number 
of errors in the randomly selected block. This gives the following expression for the desired 
probability: 



V [1 error — detected iteration / residual errors) = ^ 



;' odd 



1\'' /l^ '"'' 



(372) 



We use the identities 



l'=0 \' 



2) \2 



('=0 V" / 



r--tm(r 



(373) 



and 



Sv^7V2) (2) ]^X^' 



which holds for / > 1. This gives 



i^v 



1 1^' 

2^2. 



(374) 



E 

V odd 



/\ /I 



/'/ V2 



r /I s i~i 



(375) 



from which we obtain the result 
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V (l error — detected iteration 



/ residual errors 



(376) 



provided 1^0. If / = 0, there is no error to detect, and the probabihty is 0, so that our final 
result is 



V 1 1 error — detected iteration 



/ residual errors) = - (1 — 61^] 



(377) 



This is a sensible result. Since the block of bits is selected at random, there should be no 
bias towards an even or an odd number of errors in the block, unless there are no errors to 
start with. 

The probability of an error-free iteration is found by subtracting this result from 1: 



V (1 error — free iteration / residual errors) = - (1 + 5/ 0) . 



(378) 



The probability of A^ successive error-free iterations is thus 



V (N successive error — free iterations / residual errors) = Si^ + (1 — Si^) ( - ) . (379) 



With these results, eq. fj371|) becomes 



iV(") (/ + 1) 



Noi^ 



N2 



N2~l 

N=0 
I.N2 

2) "^ 

^^2-1 /I X N+1 



N 



+ E 

N=0 



1\ 1^2' 

2 



N + iV(") (Z) 



:-,r 



iv(") (/) 



(380) 



Introducing 
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A 



1\ ^"2- 

2 



this becomes 



(381) 



iV(") (/ + 1) 



A + AiV(") (/) 



A'+^iV, 



1-A 



(382) 



Renaming the argument of the function to / gives, for / > 0, 



iV(")(Z) = A^N2 + 



A - A'+^ 
I- A 



1 — 4' 



1-A 



I.N, 
2) 

1\ ^2- 



iVo + 2 



Nn 



N2 



-iV 



N2 - 2^2 + 1) + (2^2 - 1 



(383) 



Practical values of A'^2 ~ 30 imply that 



N2 



« 1 



(384) 



In this limit, eq. (|383|) becomes 



iV(") (/) 



/I \ ^2' 
/ (^j (iV2 - 2^^ + 1) + (2^^ 



~ m 



i-i 



N2 






iV2 + /. 



(385) 



Substituting this in eq. ()369|) yields 
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(386) 



where we have used eq. fl368p to estimate the number of errors at the beginning of the process. 

( f) 
The recurrence relation for N2 , the number of iterations during which an error is detected 

is 



N^-'' (/ + 1) = ■ P ( A^2 successive error — free iterations 

N2-1 
+ j] [1 + iV(^) (/) 



/ + 1 residual errors 



V [N successive error — free iterations 



7V=0 

V (1 error — detected iteration 



/ + 1 residual errors) . 



/ + 1 residual errors 

(387) 



The value at / = is 



N^f^ (0) = , (388) 

since there are no errors to be detected in this case. Use of eq. fl377|) and eq. ()379p yields the 
result 



Ar{/)(/) ^ (2^2-1) 



from which we find 



N2 



(389) 



N. 



if) 



<l> 

(r) 

2g. 



(390) 



Finally, we estimate an upper bound for the probability that an error remains after the 
validation step. The probability of one or more residual errors is 
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Presid = "P (residual errors 



No error free iterations 



V (residual errors and N2 error free iterations) 
V {N2 error free iterations) 



J2'iZi V {N2 error free iterations 



/ residual errors) V (/ residual errors) 



< 



X^^o"^ (^2 error free iterations / residual errors) V {I residual errors) 
J2'^i V {N2 error free iterations / residual errors) V {I residual errors) 



V (N2 error free iterations residual errors) V (0 residual errors) 

(391) 

By the argument that led to eq. ()379p . if there are residual errors in the string, the probability 
of N2 successive error-free iterations is 



/I \ ^2 
V f A^2 error free iterations / residual errors) = ( - ) ) (392) 



N2 
2, 

and the probability of any number of error free iterations in the absence of residual errors is 
1, so that eq. ()39H) becomes 



N, 



Presid 



< 



< 



Y^t^i (I) 'P {I residual errors) 

V (0 residual errors) 

\ N2 
I) V (residual errors) 



V (0 residual errors) 

< \31 _ (393) 

~ V {0 residual errors) 

The probability of residual errors after the validation step is no less than the probability 
of residual errors after the error detection and correction step, since the validation step 
introduces no errors. We expect the errors remaining after the error detection step to be 
Poisson distributed with mean ~ 2g, so that 

V (0 residual errors) > e"^^ (394) 

and 
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Presid 



ir 





< 

e-2e 

N2 
< e'^i-) . (395) 



For a reasonable choice of ^ ~ 0.5, the exponential factor is less than an order of magnitude, 
so that we may write 

Pres^d < 0(10) ■ (^-j (396) 

for an upper bound on the probability that residual errors remain in the string after the 
validation step. This is a crucial result, since even a single error in the string will render the 
entire key useless after the privacy amplification hash function is applied. 



D Assembly Code Segments 

These segments of assembly code were developed to support an estimate of the number of 
operations required to carry out the computations in sifting, error correction, and privacy 
amplification. The emphasis is on the code that executes within loops that iterate through 
the bits of the key material being processed. In each case, a description of the context 
required for the code segment precedes the code itself. 

The assembly language used is a variant of the IBM 370 assembly language. The principal 
extension is the use of register increment and decrement instructions. We have also ignored 
the distinction between incrementing a counter by one and incrementing an index register 
by the size of an array element, since either operation requires exactly one instruction. Note 
also the use of unsigned arithmetic operations when operating on multi-word integers. 



D.l Code to compute block parity 

The bits have been unpacked so that each bit occupies one word 

Register B contains the address of the beginning of the block 

Register END contains the address of the first word beyond the end of the block 

When done, register PARITY will contain the parity of the block 
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SR 


PARITY, PARITY 


Clear parity register 


STARTLOOP 


CR 


B, END 


Check if end of block 
is reached 




BGE 


DONE 






XOR 


PARITY, 0(B) 


Update parity register 




INC 


B 


Increment to get address of 
next bit 




B 


STARTLOOP 




DONE 


EQU 


* 


Exit from loop 



Instruction count: 5 instructions in loop 
Iteration count: 1 iteration per input bit 



D.2 Code to extract substring for hash function 

BUF contains the full bit string packed into memory 

10 contains the word index for the start of the substring 

11 contains the bit offset for the start of the substring 

JO contains the word index for the start of the next substring 

Jl contains the bit offset for the start of the next substring 

MASKA and MASKB are arrays containing bit masks for right and left justified substrings 
within a word 

SHIFTA = W- log2 W and SHIFTB = logs ^ are shift counts used to update the start 
of string indices, 10, II, JO, and Jl, for the next iteration, where W is the wordsize of the 
machine 

LEN = 2s is the size of the substring to which the hash function is applied 

Register names of form RO, Rl indicate linked even-odd register pairs 

When done, register pair AO, Al will contain the substring, right justified 



L 


A1,BUF(I0) 




N 


A1,MASKA(I1) 




SR 
LR 


AO, AO 
DELTA, JO 


First part of substring, right 
justified in AO+Al 
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SR 


DELTA, 10 






C 


DELTA, ONE 


Substring spans 2 words or 3? 




BLE 


TWOWORDS 






C 


Jl, ZERO 






BE 


TWOWORDS 






LR 


AO, Al 


Move first part of substring into 
higher register 




LR 


K, 10 






INC 


K 






L 


Al, BUF(K) 


Move second part of substring into 
lower register 


TWOWORDS 


L 


Bl, BUF(JO) 






N 


Bl, MASKB(Jl) 






SR 


BO, BO 






SLDLR 


BO, Jl 


Final part of substring, right 
justified in BO 




SLDLR 


AO, Jl 






OR 


Al, BO 


Substring right justified in AO+Al 




LR 


10, JO 


Increment substring indices for 
next iteration 




LR 


11, Jl 






SLL 


Jl, SHIFTA 






SLDL 


JO, SHIFTB 






A 


JO, LEN 






SRDL 


JO, SHIFTB 






SRL 


Jl, SHIFTA 





Instruction count: 26 instructions 



D.3 Code to compute Carter- Wegman afRne hash function for 
double-word integers 

Input in linked pair of registers AO, Al 

Multiplier in MO, Ml 

Additive parameter in PO, PI 

When done, result is in registers EO, El, E2, and E3 



LR 



Bl, AO 



Upper word 
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LR 


CI, Al 


Lower word 




LR 


Dl, AO 


Upper word 




SR 


AO, AO 


Clear upper words for 
multiplication 




SR 


BO, BO 






SR 


CO, CO 






SR 


DO, DO 






MU 


AO, Ml 


Multiply pairwise 




MU 


BO, Ml 






MU 


CO, MO 






MU 


DO, MO 






SR 


CARRY, CARRY 


Clear carry for additions 




LR 


E3, Al 


Lowest order word 




AUR 


E3, PI 






BCZ 


NOCARRYl 


Branch if carry is zero 




INC 


CARRY 




NOCARRYl 


LR 


E2, CARRY 


Next higher order word 




SR 


CARRY, CARRY 






AUR 


E2, AO 






BCZ 


N0CARRY2 






INC 


CARRY 




N0CARRY2 


AUR 


E2, Bl 






BCZ 


N0CARRY3 






INC 


CARRY 




N0CARRY3 


AUR 


E2, CI 






BCZ 


N0CARRY4 






INC 


CARRY 




N0CARRY4 


AUR 


E2, PO 






BCZ 


N0CARRY5 






INC 


CARRY 




N0CARRY5 


LR 


El, CARRY 


Next higher order word 




SR 


CARRY, CARRY 






AUR 


El, BO 






BCZ 


N0CARRY6 






INC 


CARRY 




N0CARRY6 


AUR 


El, CO 






BCZ 


N0CARRY7 






INC 


CARRY 




N0CARRY7 


AUR 


El, Dl 






BCZ 


N0CARRY8 






INC 


CARRY 




N0CARRY8 


LR 


EO, CARRY 


Highest order word 




AUR 


EO, DO 
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Instruction count: 43 instructions 



D.4 Code to compute multi-word hash function for privacy am- 
pUfication 

Input string is the multiplicand (A^ words) 

Multiplier is first parameter of hash function (A^ words) 

Output array initially contains the second, additive parameter of hash function in the lower 
order A^ words, the higher order A^ + 1 words are clear (2A^ + 1 words) 

ASTART and AEND are addresses of highest and lowest order words of multiplier 

BSTART and BEND are addresses of highest and lowest order words of multiplicand 

CSTART is address of array of partial products 

CROW is the size of a row of partial products {2N + 1 words) 

CSIZE is the full size of the array of partial products {N(2N + 1) words) 

CEND is address of first word beyond partial products array 

DSTART and DEND are addresses of the highest and lowest order words in output array 

When done, the output array contains the full result of the affine transformation. The 
selection of the hashed substring is accomplished by saving only the portions of the output 
array that constitute the hashed substring. 





SR 


Z, Z 




L 


I, CSTART 




LR 


J, I 




A 


J, CSIZE 


CLEAR 


CR 


I, J 




BGE 


MULTIPLY 




ST 


Z, 0(1) 




INC 


I 




B 


CLEAR 


MULTIPLY 


L 


I, AEND 




L 


K, CSTART 




A 


K, CROW 




DEC 


K 



Zero 

Start of output array 

One word beyond end of array 



Clear output array entry 



Multiplier index 



Partial products end of row index 
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c 


I, ASTART 




BL 


ADD 


Branch when done multiplication 


L 


MP, 0(1) 


Get multiplier word 


L 


J, BEND 


Multiplicand index 


LR 


L, K 


Partial products entry index 


LR 


LP, L 




DEC 


LP 


Next higher order entry index 


LR 


LPP, LP 




DEC 


LPP 


Next higher order entry index 


C 


J, BSTART 




BL 


MCANDEND 


Branch when this row done 


L 


MC1,0(J) 


Get multiplicand word 


SR 


HCARRY, HCARRY 


Clear high order carry 


SR 


MCO, MCO 




MUR 


MCO, MP 


Multiply unsigned 


AU 


MCI, 0(L) 


Add carry from previous multiply 


BCZ 


NOCARRYl 


Carry? 


INC 


MCO 


Add in the carry 


BCZ 


NOCARRYl 


Carry? 


INC 


HCARRY 


Increment high order carry 


A 


MCO, 0(LP) 


Add previous high order carry 


BCZ 


N0CARRY2 


Carry? 


INC 


HCARRY 


Increment high order carry 


ST 


MCI, 0(L) 


Store results 


ST 


MCO, 0(LP) 




ST 


HCARRY, O(LPP) 




DEC 


J 


Decrement indices for next word 
of multiplicand 


DEC 


L 




DEC 


LP 




DEC 


LPP 




B 


MCAND 




DEC 


I 


Update indices for next word 
of multiplier 


A 


K, CROW 




DEC 


K 




B 


MPLIER 




L 


L, CSTART 




A 


L, CROW 




DEC 


L 


Low order word in row 


LR 


M, DEND 


Result index 


SR 


CARRY, CARRY 


Clear carry 


C 


M, DSTART 




BL 


OUTEREND 
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LR 


SUM, CARRY 


Start with carry from previous sum 




SR 


CARRY, CARRY 


Clear carry 




LR 


K, L 


Entry index 


INNER 


C 


K, CEND 






BGE 


INNEREND 






AU 


SUM, 0(K) 


Add unsigned 




BCZ 


N0CARRY3 






INC 


CARRY 




N0CARRY3 


A 


K, CROW 


Next word to add 




B 


INNER 




INNEREND 


ST 


SUM, 0(M) 


Store result in output array 




DEC 


L 


Start for next column 




DEC 


M 


Index for next entry in 
output array 




B 


OUTER 




OUTEREND 


EQU 


* 


DONE 



We introduce the notation 



N„ 



n 
w 



(397) 



for the number of words in the string to be hashed, where n is the number of bits in the 
string and w is the wordsize. 

Instruction and iteration counts: 

CLEAR loop - 5 instructions, {2Nw + l)Nuj iterations 

MPLIER loop - 13 instructions, N^j iterations 

MCAND loop - 22 instructions, A''^ iterations 

OUTER loop - 9 instructions, {2N^ + 1) iterations 

INNER loop - 7 instructions, (2^"^ + 1)^"^ iterations 

Total: 9 + 43^"^ + AQN^ instructions 
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